Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tN3I4LTJyOTgtdnBwas4AA9Sw
Zip slip in opencart
This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this vulnerability.
Permalink: https://github.com/advisories/GHSA-m7r8-2r98-vppjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3I4LTJyOTgtdnBwas4AA9Sw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: about 1 month ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m7r8-2r98-vppj, CVE-2024-21518
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21518
- https://github.com/opencart/opencart/blob/04c1724370ab02967d3b4f668c1b67771ecf1ff4/upload/admin/controller/marketplace/installer.php%23L383C1-L383C1
- https://security.snyk.io/vuln/SNYK-PHP-OPENCARTOPENCART-7266578
- https://github.com/advisories/GHSA-m7r8-2r98-vppj
Blast Radius: 8.5
Affected Packages
packagist:opencart/opencart
Dependent packages: 12Dependent repositories: 15
Downloads: 34,604 total
Affected Version Ranges: >= 4.0.0.0
No known fixed version
All affected versions: