CVE-2015-8356

HIGH

Bitrix mcart.xls <6.5.2 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-8356. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The provided exploit code demonstrates multiple SQL injection vulnerabilities in the mcart.xls Bitrix module, allowing authenticated attackers to execute arbitrary SQL queries. The PoC includes DNS exfiltration and file write techniques to extract sensitive data or achieve remote code execution.

Description

Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (3) xls_iblock_section_id, (4) firstRow, (5) titleRow, (6) firstColumn, (7) highestColumn, (8) sku_iblock_id, or (9) xls_iblock_section_id_new parameter to admin/mcart_xls_import_step_2.php.

Exploits (1)

exploitdb WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/39246

The provided exploit code demonstrates multiple SQL injection vulnerabilities in the mcart.xls Bitrix module, allowing authenticated attackers to execute arbitrary SQL queries. The PoC includes DNS exfiltration and file write techniques to extract sensitive data or achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: mcart.xls Bitrix module 6.5.2 and prior
Auth required
Prerequisites: Authenticated access to the vulnerable module · Database hosted on a Windows system for DNS exfiltration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/135258/Bitrix-mcart.xls-6.5.2-SQL-Injection.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97669
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537288/100/0/threaded
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.htbridge.com/advisory/HTB23279
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39246/

Scores

CVSS v3 8.0
EPSS 0.0273
EPSS Percentile 84.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
bitrix_project/bitrix < 6.5.2
Published Apr 14, 2017
Tracked Since Feb 18, 2026