cbcvebase.
CVE-2019-16123
published 2019-09-09

CVE-2019-16123: In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.48%
96.6th percentile
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
kartatopiapiluscart<= 1.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/catalog.php?filename=../../../../../../../../../etc/passwd
pathcatalog.php
  • Send a GET request to /catalog.php with the 'filename' parameter set to a path traversal payload (e.g., ../../../../../../../../../etc/passwd) and check for a 200 response containing the root:[x*]:0:0 pattern, indicating successful Local File Disclosure.
  • The vulnerable parameter is 'filename' in catalog.php; path traversal sequences (../) are not sanitized, enabling arbitrary local file read.
  • ·Vulnerability affects PilusCart versions up to and including 1.4.1; upgrade to 1.4.2 or apply the vendor-supplied patch.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.