CVE-2015-8352

CRITICAL

Zen Cart <1.5.4 - Path Traversal

Title source: llm

Description

Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/39017

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/537129/100/0/threaded

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/39017/

[Exploit, Patch, Technical Description, Third Party Advisory] https://www.htbridge.com/advisory/HTB23282

[Patch, Release Notes, Vendor Advisory] https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015

Scores

CVSS v3 9.8

EPSS 0.3849

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

zen-cart/zen_cart 1.5.4

Published Aug 24, 2017

Tracked Since Feb 18, 2026