Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pgj4-g5j4-cmfx: cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction

cart2quote/module-quotation-encoded extension may expose a critical security vulnerability by utilizing the unserialize function when processing data from a GET request. This flaw, present in the app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php and app/code/community/Ophirah/Qquoteadv/Helper/Data.php files, poses a significant risk of Remote Code Execution, especially when custom file options are employed on a product. Attackers exploiting this vulnerability could execute arbitrary code remotely, leading to unauthorized access and potential compromise of sensitive data.

ghsa
#vulnerability#git#php#rce#auth

Skip to content

Navigation Menu

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-pgj4-g5j4-cmfx

cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction

High severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer cart2quote/module-quotation-encoded (Composer)

Affected versions

>= 4.1.6, <= 4.4.5

>= 5.0.0, < 5.4.4

Description

Published to the GitHub Advisory Database

May 15, 2024

Last updated

May 15, 2024

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname