CVE-2021-41649

Name of the Vulnerable Software and Affected Versions online-shopping-system-advanced (affected versions not specified)

Description The issue is related to a lack of measures to neutralize special elements when processing the cat id parameter in /homeaction.php. This can allow a remote attacker to execute arbitrary SQL code using a specially crafted script in product.php. The vulnerability exists due to the failure to sanitize user input in the /homeaction.php cat id parameter when using a post request.

Recommendations As a temporary workaround, consider disabling the /homeaction.php endpoint until a patch is available. Restrict access to the cat id parameter in the /homeaction.php endpoint to minimize the risk of exploitation. Avoid using the cat id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.