Vulnerabilities have been identified in a few web applications in the e-commerce/shopping cart application osCmax, osCommerce's Online Merchant, Roundcube, Osclass, and SocialEngine.
High-Tech Bridge found the vulnerabilities in osCmas versions 2.5.4 and prior and version 2.3.4 and prior for osCommerce Online Merchant. The flaws can be exploited for remote code execution and cross-site request forgery attacks. A path traversal flaw affects Roundcube versions 1.1.3 and prior that can be used for remote code execution. In addition, High-Tech Bridge found SQL injection flaws in Osclass 3.5.9 and prior and SocialEngine 489 and earlier.
Ilia Kolochencho, CEO of High-Tech Bridge advised that none of the vulnerabilities are easy to exploit. “Both SQL injections and RCEs can give the attacker full access to the database (and thus users' data) of the vulnerable web application.”
Roundcube developers said, “The exploit requires rather rare circumstances where the attacker has a valid Roundcube account and can write files to the webserver that runs Roundcube.”
Roundcube and Osclass developers are working on patches. Other vendors have not commented on patches thus far.