CVE-2021-41938: Arbitrary file upload in ShopXO
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57359%
CWE
Published
5/20/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
shopxo/shopxo | composer | <= 2.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in 3 distinct admin controllers handling file uploads via ZIP archives. Each corresponds to URLs mentioned in the exploit: 1) Theme.php
's upload handler only filters lowercase '.php' extensions, 2) Pluginsadmin.php
's upload lacks validation in admin subdirectories, and 3) Appmini.php
's themeupload accepts ZIPs with no validation. The confidence is high as the GitHub issue explicitly maps these endpoints to vulnerable functionality through demonstrated attack vectors.