CVE-2020-27976

Name of the Vulnerable Software and Affected Versions osCommerce Phoenix CE versions prior to 1.0.5.4

Description The issue allows for OS command injection remotely. It is caused by a vulnerable from POST parameter in the admin/mail.php file, which affects the PHP mail function and the sendmail -f option.

Recommendations For versions prior to 1.0.5.4, update to version 1.0.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/mail.php file to minimize the risk of exploitation. Avoid using the from parameter in the affected mail functionality until the issue is resolved.