CVE-2009-2255

Zen Cart <1.3.8a-1.3.8 - RCE

Title source: llm

Description

Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative authentication for admin/record_company.php, which allows remote attackers to execute arbitrary code by uploading a .php file via the record_company_image parameter in conjunction with a PATH_INFO of password_forgotten.php, then accessing this file via a direct request to the file in images/.

Exploits (1)

exploitdb WORKING POC VERIFIED

by BlackH · phpwebappsphp

https://www.exploit-db.com/exploits/9004

View Code ZIP pw:eip

References (7)

[Vendor Advisory] http://secunia.com/advisories/35550

[Third Party Advisory, VDB Entry] http://www.osvdb.org/55344

[Exploit, Patch] http://www.securityfocus.com/bid/35467

[Patch] http://www.zen-cart.com/forum/attachment.php?attachmentid=5965

[Patch] http://www.zen-cart.com/forum/showthread.php?t=130161

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/51316

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/9004

Scores

EPSS 0.3518

EPSS Percentile 97.1%

Details

CWE

CWE-287

Status published

Products (9)

zen-cart/zen_cart 1.1.0

zen-cart/zen_cart 1.1.3

zen-cart/zen_cart 1.2.0d

zen-cart/zen_cart 1.2.1d

zen-cart/zen_cart 1.2.4d

zen-cart/zen_cart 1.3.6

zen-cart/zen_cart 1.3.7

zen-cart/zen_cart 1.3.8

zen-cart/zen_cart < 1.3.8a

Published Jun 30, 2009

Tracked Since Feb 18, 2026