From db0573c5446bcc04e257371fdb408ddededeefd6 Mon Sep 17 00:00:00 2001 From: sBatao Date: Tue, 30 Jun 2026 13:14:14 +0200 Subject: [PATCH] Improve GHSA-pgj4-g5j4-cmfx --- .../GHSA-pgj4-g5j4-cmfx.json | 42 +++---------------- 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/advisories/github-reviewed/2024/05/GHSA-pgj4-g5j4-cmfx/GHSA-pgj4-g5j4-cmfx.json b/advisories/github-reviewed/2024/05/GHSA-pgj4-g5j4-cmfx/GHSA-pgj4-g5j4-cmfx.json index 522b8873c5c60..41e0242474bb4 100644 --- a/advisories/github-reviewed/2024/05/GHSA-pgj4-g5j4-cmfx/GHSA-pgj4-g5j4-cmfx.json +++ b/advisories/github-reviewed/2024/05/GHSA-pgj4-g5j4-cmfx/GHSA-pgj4-g5j4-cmfx.json @@ -1,51 +1,29 @@ { "schema_version": "1.4.0", "id": "GHSA-pgj4-g5j4-cmfx", - "modified": "2024-05-15T18:06:58Z", + "modified": "2024-05-15T18:07:01Z", "published": "2024-05-15T18:06:58Z", "aliases": [], "summary": "cart2quote/module-quotation-encoded Remote Code Execution via downloadCustomOptionAction", - "details": "cart2quote/module-quotation-encoded extension may expose a critical security vulnerability by utilizing the unserialize function when processing data from a GET request. This flaw, present in the app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php and app/code/community/Ophirah/Qquoteadv/Helper/Data.php files, poses a significant risk of Remote Code Execution, especially when custom file options are employed on a product. Attackers exploiting this vulnerability could execute arbitrary code remotely, leading to unauthorized access and potential compromise of sensitive data. ", + "details": "-", "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L" + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", - "name": "cart2quote/module-quotation-encoded" + "name": "" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "4.1.6" - }, - { - "last_affected": "4.4.5" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Packagist", - "name": "cart2quote/module-quotation-encoded" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "5.0.0" - }, - { - "fixed": "5.4.4" + "introduced": "0" } ] } @@ -56,21 +34,13 @@ { "type": "PACKAGE", "url": "https://bitbucket.org/cart2quote2/cart2quote2-releases" - }, - { - "type": "WEB", - "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/cart2quote/module-quotation/2017-02-01.yaml" - }, - { - "type": "WEB", - "url": "https://web.archive.org/web/20230131172111/https://cart2quote.zendesk.com/hc/en-us/articles/115000616303--FIXED-Security-Vulnerability-in-downloadCustomOptionAction" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], - "severity": "HIGH", + "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-05-15T18:06:58Z", "nvd_published_at": null