CVE-2022-24108

CRITICAL

So Listing Tabs module 2.2.0 for OpenCart - Code Injection

Title source: llm

Description

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167197/OpenCart-So-Listing-Tabs-2.2.0-Unsafe-Deserialization.html

[Product, Third Party Advisory] https://codecanyon.net/item/so-listing-tabs-responsive-opencart-module/12388133

[Exploit, Mailing List, Third Party Advisory] https://seclists.org/fulldisclosure/2022/May/30

[Product, Third Party Advisory] https://www.smartaddons.com/opencart-extensions/so-listing-tabs-responsive-opencart-30x-opencart-2x-module

Scores

CVSS v3 9.8

EPSS 0.4064

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

skyoftech/so_listing_tabs

Timeline

Published May 17, 2022

Tracked Since Feb 18, 2026