CVE-2021-27817
CRITICALshopxo 1.9.3 - Remote Code Execution via PHAR File Upload with JPG Extension
Title source: llmDescription
A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix.
References (2)
Core 2
Core References
Product x_refsource_misc
https://github.com/gongfuxiang/shopxo
Broken Link x_refsource_misc
https://github.com/h4ckdepy/vuls/blob/main/shopxo.md
Scores
CVSS v3
9.8
EPSS
0.0323
EPSS Percentile
86.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (2)
shopxo/shopxo
1.9.3
shopxo/shopxo
0Packagist
Published
Mar 15, 2021
Tracked Since
Feb 18, 2026