A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
History

Wed, 23 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oscommerce
Oscommerce online Merchant
Vendors & Products Oscommerce
Oscommerce online Merchant

Wed, 23 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 23 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
Description A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Title osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution
Weaknesses CWE-434
CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-07-23T13:50:09.708Z

Updated: 2025-07-23T14:46:03.069Z

Reserved: 2025-07-22T20:08:18.728Z

Link: CVE-2018-25114

cve-icon Vulnrichment

Updated: 2025-07-23T14:45:54.787Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-23T14:15:32.447

Modified: 2025-07-25T15:29:44.523

Link: CVE-2018-25114

cve-icon Redhat

No data.