SRC-2021-0002 : CSCart templates.manage Server Side Template Injection Remote Code Execution Vulnerability

CVE ID: CVE-2021-26121

CVSS Score: 8.8, (/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: CSCart

Affected Products: CSCart Multivendor

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of CSCart. Authentication is required to exploit this vulnerability with the Files privilege.

The specific flaw exists within the templates.manage dispatch method. The issue results from the lack of sandboxing of user-supplied Smarty template syntax. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the web server.

Vendor Response:

CSCart has not issued an update to correct this vulnerability.

Disclosure Timeline:

  • 2020-01-26 – Sent to CSCart dev team

  • 2020-01-27 – Notification of reciept from CSCart dev team

  • 2020-02-10 – Response from CSCart as not a security bug

  • 2020-02-12 – Public disclosure

Proof of Concept:

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team