CubeCart Authenticated Server-Side Template Injection Vulnerability Leading to Remote Code Execution

A critical authenticated server-side template injection vulnerability has been identified in CubeCart versions prior to 6.7.0. This vulnerability exists in multiple modules, including Email Templates, Invoices, Documents, and Contact Forms. The issue arises because the application evaluates user-supplied input through the Smarty template engine without implementing necessary security policies, allowing authenticated users with administrative rights to execute arbitrary operating system commands on the server, resulting in remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated users with administrative privileges to execute arbitrary commands on the server, leading to remote code execution. This could be used to deploy web shells or access sensitive system files, databases, and internal network resources.

Reproduction

To reproduce this vulnerability, log into the CubeCart admin panel with an admin account. Navigate to File Manager and select Email Templates or Documents. Inject a payload into the content area, ensuring to include required application variables. After saving the template, the injected command will execute immediately on the server. For a stored execution, enable the 'Parse Smarty Tags' option before saving, which will execute the command when the document is accessed on the storefront.

Remediation

Users are advised to update CubeCart to version 6.7.0 or later, where this vulnerability has been fixed.