CVE-2017-15285 - OpenCVE

X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an "Add File Via URL" action, and change the image's Description URL to reference the .php URL in the attachments/ directory.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Qualiteam	X-cart

Configuration 1 [-]

OR	cpe:2.3:a:qualiteam:x-cart:5.2.23:::::::*
	cpe:2.3:a:qualiteam:x-cart:5.3.1.9:::::::*
	cpe:2.3:a:qualiteam:x-cart:5.3.2.13:::::::*
	cpe:2.3:a:qualiteam:x-cart:5.3.3.0:::::::*

References

Link	Resource
https://sxcurity.github.io/PHP%20Code%20Injection%20in%20X-Cart.pdf	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-12T08:00:00

Updated: 2017-10-12T07:57:01

Reserved: 2017-10-12T00:00:00

Link: CVE-2017-15285

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-10-12T08:29:00.617

Modified: 2017-11-03T16:53:02.790

Link: CVE-2017-15285

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-12T00:00:00", "descriptions": [{"lang": "en", "value": "X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an \"Add File Via URL\" action, and change the image's Description URL to reference the .php URL in the attachments/ directory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-12T07:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sxcurity.github.io/PHP%20Code%20Injection%20in%20X-Cart.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-15285", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an \"Add File Via URL\" action, and change the image's Description URL to reference the .php URL in the attachments/ directory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sxcurity.github.io/PHP%20Code%20Injection%20in%20X-Cart.pdf", "refsource": "MISC", "url": "https://sxcurity.github.io/PHP%20Code%20Injection%20in%20X-Cart.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-15285", "datePublished": "2017-10-12T08:00:00", "dateReserved": "2017-10-12T00:00:00", "dateUpdated": "2017-10-12T07:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qualiteam:x-cart:5.2.23:*:*:*:*:*:*:*", "matchCriteriaId": "B8E903FF-8AB1-4B3D-B0A4-303E14CC343C", "vulnerable": true}, {"criteria": "cpe:2.3:a:qualiteam:x-cart:5.3.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "56A18495-7945-4A70-BC1C-F955A2EB010F", "vulnerable": true}, {"criteria": "cpe:2.3:a:qualiteam:x-cart:5.3.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "FCC932CA-D539-4D75-A101-F5892FEE1A32", "vulnerable": true}, {"criteria": "cpe:2.3:a:qualiteam:x-cart:5.3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DBC2B8FB-B386-431C-9321-36A71AECC891", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an \"Add File Via URL\" action, and change the image's Description URL to reference the .php URL in the attachments/ directory."}, {"lang": "es", "value": "X-Cart 5.2.23, 5.3.1.9, 5.3.2.13 y 5.3.3 es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad existe porque la aplicaci\u00f3n no consigue chequear las extensiones de archivos remotos antes de guardarlos localmente. Esta vulnerabilidad la puede explotar cualquiera con acceso Vendor o superior. Una metodolog\u00eda de ataque es subir un archivo de imagen en la secci\u00f3n Attachments de un cat\u00e1logo de productos, subir un archivo .php con una acci\u00f3n \"Add File Via URL\" y cambiar la URL de descripci\u00f3n de la imagen para que haga referencia a la URL .php en el directorio attachments/."}], "id": "CVE-2017-15285", "lastModified": "2017-11-03T16:53:02.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-12T08:29:00.617", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sxcurity.github.io/PHP%20Code%20Injection%20in%20X-Cart.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}