A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.
Metrics
Affected Vendors & Products
References
History
Wed, 23 Jul 2025 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Oscommerce
Oscommerce online Merchant |
|
Vendors & Products |
Oscommerce
Oscommerce online Merchant |
Wed, 23 Jul 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 23 Jul 2025 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise. | |
Title | osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution | |
Weaknesses | CWE-434 CWE-94 |
|
References |
|
|
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-07-23T13:50:09.708Z
Updated: 2025-07-23T14:46:03.069Z
Reserved: 2025-07-22T20:08:18.728Z
Link: CVE-2018-25114

Updated: 2025-07-23T14:45:54.787Z

Status : Awaiting Analysis
Published: 2025-07-23T14:15:32.447
Modified: 2025-07-25T15:29:44.523
Link: CVE-2018-25114

No data.