Cyber Resilience

CVE-2024-5762

High

Published: 21 August 2024

Published
21 August 2024
Modified
23 August 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0911 92.9th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5762 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Zen-Cart Zen Cart. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zen Cart contains a local file inclusion vulnerability in the findPluginAdminPage function that permits remote code execution on affected installations. The flaw stems from insufficient validation of user-supplied input before it is passed to a PHP include operation, allowing an attacker to supply a malicious path. The issue is tracked as ZDI-CAN-21408 and carries a CVSS 3.1 score of 8.1.

Unauthenticated remote attackers can exploit the weakness over the network, albeit with elevated attack complexity. Successful exploitation, often in combination with other vulnerabilities, grants arbitrary code execution in the context of the service account, resulting in full confidentiality, integrity, and availability impact on the target system.

The referenced Zen Cart 2.0.0 release notes and Zero Day Initiative advisory ZDI-24-883 address remediation steps for the affected software. The EPSS score has remained flat at 0.0911 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage…

more

function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zen-cart
zen cart
1.5.8a

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

addresses: CWE-829

Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.

References