A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request.
The /content/images/add endpoint does not properly validate the target path of uploaded files. An attacker sends a crafted HTTP POST request containing path traversal sequences (e.g., '../'), which allows escaping the permitted directory and writing files to any location accessible by the server process. The attack requires no authentication or user interaction.
An attacker can write arbitrary files — including malicious executable code (e.g., web shell) — to accessible system directories, which in practice can lead to server compromise (RCE), data disclosure, or complete integrity breach of the application and operating system.
Apply patches available from the vendor according to the references. As a temporary workaround, restrict access to the /content/images/add endpoint at the firewall or web server level and require authentication for all content management operations.
Shopizer version 3.2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H