CVE-2009-20006
published 2025-09-16CVE-2009-20006: osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface…
PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.14%
62.7th percentile
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oscommerce | oscommerce | <= 2.2 RC2a | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests targeting admin/file_manager.php, especially those uploading .php files ↗
- →Alert on .php file uploads via the osCommerce file manager utility from unauthenticated sessions ↗
- →Detect webshell execution originating from the osCommerce admin file manager, running with webserver permissions ↗
- ·Vulnerability affects osCommerce versions up to and including 2.2 RC2a; verify target version before applying detections ↗
- ·A public Metasploit exploit module exists for this vulnerability, lowering the bar for exploitation significantly ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rbhttps://www.exploit-db.com/exploits/16899https://www.exploit-db.com/exploits/9556https://www.oscommerce.com/https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-executionhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rbhttps://www.exploit-db.com/exploits/16899https://www.exploit-db.com/exploits/9556
2025-09-16
Published