Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14eDc3LXc2cDUteHZtas4AAn1j
ShopXO RCE Vulnerability
A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix.
Permalink: https://github.com/advisories/GHSA-xx77-w6p5-xvmjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14eDc3LXc2cDUteHZtas4AAn1j
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-xx77-w6p5-xvmj, CVE-2021-27817
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27817
- https://github.com/h4ckdepy/vuls/blob/main/shopxo.md
- https://github.com/advisories/GHSA-xx77-w6p5-xvmj
Blast Radius: 1.0
Affected Packages
packagist:shopxo/shopxo
Dependent packages: 0Dependent repositories: 0
Downloads: 599 total
Affected Version Ranges: <= 1.9.3
No known fixed version
All affected versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.9.3