Critical CVSS 9.3

Overview

A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise.

Risk analysis

This vulnerability is rated 🔴 CRITICAL.

  • CVSS: 9.3 (CRITICAL)
  • Detected tags: rce, unauth_access (tag impact: VERY HIGH)

Recommended actions:

  • Patch/upgrade immediately (remote code execution).
  • Reduce exposure (WAF/segmentation), minimize attack surface.
  • Enforce authentication/authorization; reduce default endpoint exposure.

Recommended tools

Tags