Server-Side Request Forgery Vulnerability in ShopXO E-Commerce Platform
CVE-2024-6524

8.8HIGH

Key Information:

Vendor

ShopXO

Status
Shopxo
Vendor
CVE Published:
5 July 2024

Badges

👾 Exploit Exists

What is CVE-2024-6524?

A critical vulnerability has been identified in the ShopXO e-commerce platform, affecting versions up to 6.1.0. This flaw pertains to an unknown functionality within the file 'extend/base/Uploader.php'. It allows an attacker to manipulate the 'source' argument, potentially leading to server-side request forgery (SSRF). This vulnerability can be exploited remotely, allowing unauthorized access to perform actions or retrieve sensitive information from internal systems. The exploit has been publicly disclosed, raising serious concerns about the security posture of installations running affected versions. Therefore, it is crucial for organizations to review their ShopXO installations and apply necessary updates or patches to mitigate this risk.

Affected Version(s)

ShopXO 6.0

ShopXO 6.1

References

https://vuldb.com/?id.270367
vdb-entrytechnical-description
https://vuldb.com/?ctiid.270367
signaturepermissions-required
https://vuldb.com/?submit.365173
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

J1rrY (VulDB User)
.