CVE-2018-18964

Published: Nov 6, 2018Modified: Nov 21, 2024

4.9

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several extensions in which contained HTML can be executed, such as the svg extension.

Affected (1)

Products: Oscommerce: Online Merchant

Oscommerce

1 product

Online Merchant

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oscommerce Online Merchant	Version 2.3.4.1

References (2)

https://github.com/osCommerce/oscommerce2/issues/631

Source: cve@mitre.org

Third Party Advisory

https://github.com/osCommerce/oscommerce2/issues/631

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.