CVE-2018-25114: osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2018-25114

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution

Source: NVD (National Vulnerability Database)

Vulnerability Description

A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

危险类型文件的不加限制上传

Source: NVD (National Vulnerability Database)

Vulnerability Title

osCommerce Online Merchant 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

osCommerce Online Merchant是osCommerce开源的一个电子商务平台。 osCommerce Online Merchant 2.3.4.1版本存在安全漏洞，该漏洞源于默认配置不安全，可能导致远程代码执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
osCommerce	Online Merchant	2.3.4.1	-

II. Public POCs for CVE-2018-25114

#	POC Description	Source Link	Shenlong Link
1	osCommerce Online Merchant 2.3.4.1 contains a remote code execution caused by insecure default configuration and missing authentication in the installer workflow, letting unauthenticated attackers execute arbitrary PHP code via install_4.php, exploit requires accessible /install/ directory after installation.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-25114.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2018-25114

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same vendor: osCommerce

Same weakness: CWE-434

V. Comments for CVE-2018-25114

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2018-25114

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2018-25114

III. Intelligence Information for CVE-2018-25114

IV. Related Vulnerabilities

V. Comments for CVE-2018-25114

Leave a comment