2 matches found
CVE-2018-18573
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files e.g., omitting .php and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=newprodu...
CVE-2018-18573
CVE-2018-18573 affects osCommerce 2.3.4.1. The issue is an incomplete an access control/blacklist mechanism in the product page’s .htaccess filtering. Remote authenticated administrators can upload new .htaccess files (for example omitting .php) and thereby achieve arbitrary PHP code execution vi...