Miggo Logo
Miggo Vulnerability Database
CVE-2021-3291

CVE-2021-3291: Zen Cart vulnerable to authenticated remote code execution

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3291
GHSA ID
GHSA-38f9-4vhq-9cr8
EPSS Score
0.97081%
CWE
CWE-78
Published
5/24/2022
Updated
7/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
zencart/zencartcomposer<= 1.5.7b1.5.7c

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from an eval() call that directly executes configuration values from admin input. The unpatched code (line 334) used raw $value['value'] in an eval context, while the patch adds zen_output_string sanitization. This matches the CWE-78 pattern where unsanitized user input flows into OS command execution via eval(), which can execute arbitrary PHP code including system() calls. The exploit POC demonstrates manipulating radio input values to inject OS commands through this eval pathway.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Z*n **rt *.*.** *llows **mins to *x**ut* *r*itr*ry OS *omm*n*s *y insp**tin* *n *TML r**io input *l*m*nt (wit*in t** mo*ul*s **it p***) *n* ins*rtin* * *omm*n*.

Reasoning

T** vuln*r**ility st*ms *rom *n *v*l() **ll t**t *ir**tly *x**ut*s *on*i*ur*tion v*lu*s *rom **min input. T** unp*t**** *o** (lin* ***) us** r*w $v*lu*['v*lu*'] in *n *v*l *ont*xt, w*il* t** p*t** ***s z*n_output_strin* s*nitiz*tion. T*is m*t***s t**