Dmitry Pavlov

**Name of the Vulnerable Software and Affected Versions** Skyoftech So Listing Tabs module version 2.2.0 for OpenCart **Description** The issue allows a remote attacker to inject a serialized PHP object via the `setting` parameter, potentially resulting in the ability to write to files on the server, cause Denial of Service (DoS), and achieve remote code execution because of deserialization of untrusted data. **Recommendations** For Skyoftech So Listing Tabs module version 2.2.0, consider disabling the module until a patch is available to prevent exploitation. Restrict access to the `setting` parameter to minimize the risk of deserialization of untrusted data. At the moment, there is no information about a newer version that contains a fix for this issue.