CVE-2018-25114

CVSS

No CVSS.

A

remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb
https://www.exploit-db.com/exploits/44374
https://www.oscommerce.com/
https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution

Configurations

No configuration.

History

25 Jul 2025, 15:29

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de ejecución remota de código en osCommerce Online Merchant versión 2.3.4.1 debido a una configuración predeterminada insegura y a la falta de autenticación en el flujo de trabajo del instalador. Por defecto, el directorio /install/ permanece accesible después de la instalación. Un atacante no autenticado puede invocar install_4.php, enviar datos POST manipulados e inyectar código PHP arbitrario en el archivo configure.php. Cuando la aplicación incluye posteriormente este archivo, se ejecuta el payload inyectado, lo que resulta en una vulnerabilidad completa del servidor.

23 Jul 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-23 14:15

Updated : 2025-07-25 15:29

NVD link : CVE-2018-25114

Mitre link : CVE-2018-25114

CVE.ORG link : CVE-2018-25114

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2018-25114", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-23T14:15:32.447", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/44374", "source": "[email protected]"}, {"url": "https://www.oscommerce.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/oscommerce-installer-unauth-config-file-injection-php-code-execution", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en osCommerce Online Merchant versi\u00f3n 2.3.4.1 debido a una configuraci\u00f3n predeterminada insegura y a la falta de autenticaci\u00f3n en el flujo de trabajo del instalador. Por defecto, el directorio /install/ permanece accesible despu\u00e9s de la instalaci\u00f3n. Un atacante no autenticado puede invocar install_4.php, enviar datos POST manipulados e inyectar c\u00f3digo PHP arbitrario en el archivo configure.php. Cuando la aplicaci\u00f3n incluye posteriormente este archivo, se ejecuta el payload inyectado, lo que resulta en una vulnerabilidad completa del servidor."}], "lastModified": "2025-07-25T15:29:44.523", "sourceIdentifier": "[email protected]"}