OsCommerce Phoenix CE Command Injection (CVE-2020-27976)

A command injection vulnerability exists in OsCommerce Phoenix CE. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system...

CVE-2020-27976

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option...

CVE-2020-27975

osCommerce Phoenix CE before 1.0.5.4 allows admin/definelanguage.php CSRF...

CVE-2020-27976

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option...

Cross site request forgery (csrf)

osCommerce Phoenix CE before 1.0.5.4 allows admin/definelanguage.php CSRF...

CVE-2020-27975

osCommerce Phoenix CE before 1.0.5.4 allows admin/definelanguage.php CSRF...

CVE-2020-27976

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option...

CVE-2020-27976

osCommerce Phoenix CE prior to 1.0.5.4 is affected by a remote OS command injection via admin/mail.php where a from POST parameter can reach the PHP mail function and the sendmail -f option. Root cause is command injection in processing the from parameter, enabling remote code execution per the C...