CVE-2009-20006

osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

Description

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.

INFO

Published Date :

2025-09-16T14:33:40.335Z

Last Modified :

2025-09-16T18:17:29.885Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2009-20006 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2009-20006.

URL	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb
https://www.exploit-db.com/exploits/16899
https://www.exploit-db.com/exploits/9556
https://www.oscommerce.com/
https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability