Description
A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix.
References (2)
Core 2
Core References
Product x_refsource_misc
https://github.com/gongfuxiang/shopxo
Broken Link x_refsource_misc
https://github.com/h4ckdepy/vuls/blob/main/shopxo.md
Scores
CVSS v3
9.8
EPSS
0.0130
EPSS Percentile
79.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (2)
shopxo/shopxo
1.9.3
shopxo/shopxo
0Packagist
Published
Mar 15, 2021
Tracked Since
Feb 18, 2026