SRC-2021-0002 : CSCart templates.manage Server Side Template Injection Remote Code Execution Vulnerability
CVE ID: CVE-2021-26121
CVSS Score: 8.8, (/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: CSCart
Affected Products: CSCart Multivendor
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CSCart. Authentication is required to exploit this vulnerability with the Files privilege.
The specific flaw exists within the templates.manage dispatch method. The issue results from the lack of sandboxing of user-supplied Smarty template syntax. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the web server.
CSCart has not issued an update to correct this vulnerability.
2020-01-26 – Sent to CSCart dev team
2020-01-27 – Notification of reciept from CSCart dev team
2020-02-10 – Response from CSCart as not a security bug
2020-02-12 – Public disclosure
Proof of Concept:
Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team