PT-2022-10665 · Xos-Shop · Xos-Shop

Faisalfs10X

Published

2022-06-16

Updated

2022-06-28

CVE-2021-37764

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions XOS-Shop xos shop system version 1.0.9

Description The issue concerns an Arbitrary File Deletion vulnerability. It can be exploited via the current manufacturer image parameter to the "/shop/admin/manufacturers.php" API endpoint.

Recommendations For XOS-Shop xos shop system version 1.0.9, consider restricting access to the current manufacturer image parameter in the "/shop/admin/manufacturers.php" endpoint to minimize the risk of exploitation. Avoid using the current manufacturer image parameter until the issue is resolved.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2021-37764

Affected Products

Xos-Shop

PT-2022-10665 · Xos-Shop · Xos-Shop

CVE-2021-37764

Weakness Enumeration

Related Identifiers

Affected Products

References · 4