Description
Static code injection vulnerability in ajax_save_name.php in the Ajax File Manager module in the tinymce plugin in FreeWebshop 2.2.9 R2 and earlier allows remote attackers to inject arbitrary PHP code into data.php via the selected document, as demonstrated by a call to ajax_file_cut.php and then to ajax_save_name.php.
Exploits (1)
References (3)
Core 3
Core References
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/18121
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/77162
Various Sources x_refsource_misc
http://www.freewebshop.org/forum/index.php?topic=5235.0
Scores
EPSS
0.0605
EPSS Percentile
90.8%
Details
CWE
CWE-94
Status
published
Products (11)
freewebshop/freewebshop
2.1
freewebshop/freewebshop
2.2.1
freewebshop/freewebshop
2.2.2
freewebshop/freewebshop
2.2.3
freewebshop/freewebshop
2.2.4
freewebshop/freewebshop
2.2.5
freewebshop/freewebshop
2.2.6
freewebshop/freewebshop
2.2.7
freewebshop/freewebshop
2.2.7_wip1_2
freewebshop/freewebshop
2.2.9
... and 1 more
Published
Aug 31, 2012
Tracked Since
Feb 18, 2026