cvedb.io
CVE-2017-15285
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2017-10-12T08:29:00.617 · Last modified 2026-06-17T01:07:31.090

Summary

X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an "Add File Via URL" action, and change the image's Description URL to reference the .php URL in the attachments/ directory.

Affected products

qualiteam — x-cart

Does this affect you?

Add your gear to cvedb and we'll alert you only when qualiteam ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.