CVE-2009-20006

Awaiting Analysis
Published: 16 Sept 2025, 15:15
Last modified:17 Sept 2025, 14:18

Vulnerability Summary

Overall Risk
High Risk
59/100
CVSS Score
9.3 CRITICAL
v4.0
EPSS Score
57.84% CRITICAL
98%ile 0.00%
CISA KEV
Not listed
Ransomware
No reports
Exploits
1 found
Dark Web
Not detected
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Source Identifier: disclosure@vulncheck.com
CVSSSourceSeverityExploitabilityImpactVector
v4.0 disclosure@vulncheck.com9.3 CRITICALNANA
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/V...
v3.1n/a
v3.0n/a
v2.0n/a
57.84%
Current Score
0.00%
98%ile
Percentile Rank
0.00%
Loading chart...
Loading chart...
Unrestricted Upload of File with Dangerous Type CWE-434
Description:The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Not listed in CISA Known Exploited Vulnerabilities catalog.

No dark web activity detected for this vulnerability.

metasploit
PHP
exploitVerified
Author: egypt <egypt@metasploit.com>
Published: 31 Aug 2009, 00:00
Updated: 06 Oct 2025, 17:15
osCommerce is a popular open source E-Commerce application. The admin console contains a file management utility that allows administrators to upload, download, and edit files. This could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.
CVE-2009-20006OSVDB-60018EDB-9556

No affected systems information available.

© 2025 CveMate. All rights reserved.v0.1.3