CVE-2020-35754

HIGH

Opensolution Quick.cart < 6.7 - Code Injection

Title source: rule

Description

OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.

Exploits (1)

exploitdb WORKING POC

by mari0x00 · pythonwebappsphp

https://www.exploit-db.com/exploits/49494

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/161189/Quick.CMS-6.7-Remote-Code-Execution.html

[Product] https://opensolution.org/cms-system-quick-cms.html

[Various Sources] https://opensolution.org/security-fix-for-cart-and-cms%21-en-1136.html

[Exploit, Third Party Advisory] https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/

Scores

CVSS v3 7.2

EPSS 0.1446

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

opensolution/quick.cart < 6.7

opensolution/quick.cms < 6.7

Published Jan 28, 2021

Tracked Since Feb 18, 2026