Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-1705— Shopwind Installation DefaultController.php actionCreate code injection

CVSS 5.6 · Medium EPSS 0.09% · P25
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-1705

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Shopwind Installation DefaultController.php actionCreate code injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-254393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ShopWind 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ShopWind是中国ShopWind公司的一款基于 Yii2.0 框架深度重构的 B2B2C、O2O 行业的电商系统软件。可以轻松创建和发布属于自己品牌的专业的电商平台,进行全方位的品牌宣传和产品推广。 ShopWind 4.6及之前版本存在安全漏洞,该漏洞源于文件/public/install/controllers/DefaultController.php的函数actionCreate存在代码注入漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-Shopwind 4.0 -

II. Public POCs for CVE-2024-1705

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-1705

登录查看更多情报信息。

Same Patch Batch · n/a · 2024-02-21 · 37 CVEs total

CVE-2024-222356.7 MEDIUMVMware Aria Operations 安全漏洞
CVE-2024-263115.7 MEDIUMArcher Platform 安全漏洞
CVE-2024-263104.3 MEDIUMArcher Platform 安全漏洞
CVE-2023-24334Tenda AC23 安全漏洞
CVE-2024-25381emlog 安全漏洞
CVE-2024-24476Wireshark 安全漏洞
CVE-2023-24330D-Link DIR882 安全漏洞
CVE-2023-24331D-Link DIR-816 安全漏洞
CVE-2023-24332Tenda AC6 安全漏洞
CVE-2023-24333Tenda AC21 安全漏洞
CVE-2024-24479Wireshark 安全漏洞
CVE-2024-25249He3 安全漏洞
CVE-2024-25461Creatio Terrasoft CRM 安全漏洞
CVE-2023-37177PMB SQL注入漏洞
CVE-2023-38844PMB SQL注入漏洞
CVE-2023-51828PMB SQL注入漏洞
CVE-2023-52153PMB SQL注入漏洞
CVE-2023-52154PMB 安全漏洞
CVE-2023-52155PMB SQL注入漏洞
CVE-2024-25891ChurchCRM 安全漏洞

Showing top 20 of 37 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same vendor: n/a
Same weakness: CWE-94

V. Comments for CVE-2024-1705

No comments yet

Leave a comment