CVE-2021-27817

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-27817

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27817.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-27817

Aliases

GHSA-xx77-w6p5-xvmj

Published

2021-03-15T17:15:22.440Z

Modified

2026-03-13T01:57:31.498199Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated by phar where the suffix is JPG, which is uploaded after modifying the phar suffix.

References

Affected packages

Git / github.com/gongfuxiang/shopxo

Affected ranges

Type

GIT

Repo

https://github.com/gongfuxiang/shopxo

Events

Introduced

Last affected

82a926c899ae8323ee020f45f515b718a22362e8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.3"
        }
    ]
}

Affected versions

v1.*

v1.1.0

v1.2.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27817.json"