Skip to content

Remote code execution (RCE) by unprivileged user because of custom deserialization of untrusted data

Moderate
Michael-Herzog published GHSA-r582-pv79-8f8v Nov 23, 2020

Package

No package listed

Affected versions

< 4.1.0

Patched versions

4.1.0

Description

Impact

This vulnerability affects Smartstore shops prior version 4.1.0 where user uploads are enabled.

Patches

This vulnerability is closed in version 4.1.0.

Workarounds

Disable all user upload possibilities > avatar uploads & attribute uploads.

Severity

Moderate

CVE ID

CVE-2020-27996

Weaknesses

No CWEs

Credits