Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-5762

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408.

Published

2024-08-21T17:15:08.810

Last Modified

2024-08-23T16:43:19.497

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-98
Type: Primary
CWE-829

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zen-cart	zen_cart	1.5.8a	Yes

References

https://docs.zen-cart.com/release/whatsnew_2.0.0 Release Notes ([email protected])
https://www.zerodayinitiative.com/advisories/ZDI-24-883/ Third Party Advisory, VDB Entry ([email protected])