PT-2025-38002 · Unknown · Oscommerce
Published
2025-09-16
·
Updated
2025-09-16
·
CVE-2009-20006
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
osCommerce versions up to and including 2.2 RC2a
Description
osCommerce versions up to and including 2.2 RC2a contain a flaw in the administrative file manager utility (
admin/file manager.php). The interface lacks sufficient input validation and access control for file uploads and edits. An unauthenticated attacker can upload a .php file with arbitrary code via a crafted POST request, leading to server-side code execution.Recommendations
osCommerce versions prior to 2.2 RC2a should be updated.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oscommerce