CVE-2019-5886
CRITICALShopXO 1.2.0 - Unauthenticated Database Reinstallation and Arbitrary Code Execution via Missing Lock File Validation
Title source: llmDescription
An issue was discovered in ShopXO 1.2.0. In the application\install\controller\Index.php file, there is no validation lock file in the Add method, which allows an attacker to reinstall the database. The attacker can write arbitrary code to database.php during system reinstallation.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/gongfuxiang/shopxo/issues/1
Scores
CVSS v3
9.8
EPSS
0.0099
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-667
CWE-862
Status
published
Products (1)
shopxo/shopxo
1.2.0
Published
Jan 10, 2019
Tracked Since
Feb 18, 2026