CubeCart 3.0 through 3.6 does not properly check authorization for an administration session because of a missing auth.inc.php include, which results in an absolute path traversal vulnerability in FileUpload in connector.php (aka upload.php) that allows remote attackers to upload arbitrary files via a modified CurrentFolder parameter in a direct request to admin/filemanager/upload.php.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cubecart | Devellion | 3.0.0_alpha (including) | 3.0.0_alpha (including) |
| Cubecart | Devellion | 3.0.0_alpha-2 (including) | 3.0.0_alpha-2 (including) |
| Cubecart | Devellion | 3.0.0_alpha-rgf (including) | 3.0.0_alpha-rgf (including) |
| Cubecart | Devellion | 3.0.0_beta (including) | 3.0.0_beta (including) |
| Cubecart | Devellion | 3.0.0_final (including) | 3.0.0_final (including) |
| Cubecart | Devellion | 3.0.1 (including) | 3.0.1 (including) |
| Cubecart | Devellion | 3.0.2 (including) | 3.0.2 (including) |
| Cubecart | Devellion | 3.0.3 (including) | 3.0.3 (including) |
| Cubecart | Devellion | 3.0.4 (including) | 3.0.4 (including) |
| Cubecart | Devellion | 3.0.5 (including) | 3.0.5 (including) |
| Cubecart | Devellion | 3.0.6 (including) | 3.0.6 (including) |