Insecure Permissions vulnerability in sparkshop v.1.1.7 allows a remote attacker to execute arbitrary code via the Common.php component
The error results from unsafe permissions and improper validation of input data in the Common.php component. An attacker can send a specially crafted network request that is embedded in a command executed by the server without proper sanitization. The network attack vector (AV:N), lack of privilege requirements (PR:N), and no user interaction needed (UI:N) make the exploit executable completely remotely and automatically.
An attacker can gain full control over the server, including data reading and modification (C:H, I:H) and service unavailability (A:H). In practice, this means the possibility of server takeover, data theft, or malicious software installation.
Security patches provided by the vendor should be applied according to the references. Until updates are deployed, it is recommended to restrict access to the application panel exclusively to trusted IP addresses and monitor unusual server activity.
Sparkshop version 1.1.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSparkshop
APPSparkshop1.1.7
Related vulnerabilities
Krytyczna podatność File Upload umożliwiająca RCE w Sparkshop
A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of produ...
An issue in sparkshop v.1.1.7 and before allows a remote attacker to execute arbitrary code via a crafted phar...
SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to sc...