GHSA-pgj4-g5j4-cmfx: cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction
cart2quote/module-quotation-encoded extension may expose a critical security vulnerability by utilizing the unserialize function when processing data from a GET request. This flaw, present in the app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php and app/code/community/Ophirah/Qquoteadv/Helper/Data.php files, poses a significant risk of Remote Code Execution, especially when custom file options are employed on a product. Attackers exploiting this vulnerability could execute arbitrary code remotely, leading to unauthorized access and potential compromise of sensitive data.
References
- bitbucket.org/cart2quote2/cart2quote2-releases
- github.com/FriendsOfPHP/security-advisories/blob/master/cart2quote/module-quotation/2017-02-01.yaml
- github.com/advisories/GHSA-pgj4-g5j4-cmfx
- web.archive.org/web/20230131172111/https://cart2quote.zendesk.com/hc/en-us/articles/115000616303--FIXED-Security-Vulnerability-in-downloadCustomOptionAction
Detect and mitigate GHSA-pgj4-g5j4-cmfx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →