SRC-2021-0002 : CSCart templates.manage Server Side Template Injection Remote Code Execution Vulnerability
CVE ID: CVE-2021-26121
CVSS Score: 8.8, (/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: CSCart
Affected Products: CSCart Multivendor
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CSCart. Authentication is required to exploit this vulnerability with the Files privilege.
The specific flaw exists within the templates.manage dispatch method. The issue results from the lack of sandboxing of user-supplied Smarty template syntax. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the web server.
Vendor Response:
CSCart has not issued an update to correct this vulnerability.
Disclosure Timeline:
-
2020-01-26 – Sent to CSCart dev team
-
2020-01-27 – Notification of reciept from CSCart dev team
-
2020-02-10 – Response from CSCart as not a security bug
-
2020-02-12 – Public disclosure
Proof of Concept:
Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team