CVE-2009-20006

osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

CVSS 9.3 CRITICALEPSS 1.1%CWE-434

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.1%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

31 Aug 2009Metasploit module available

16 Sep 2025Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

osCommerce · osCommerce

public PoCs found — 3

cve_referenceraw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rbunverified cve_referencewww.exploit-db.com/exploits/16899unverified cve_referencewww.exploit-db.com/exploits/9556unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/oscommerce_filemanager.rb https://www.exploit-db.com/exploits/16899 https://www.exploit-db.com/exploits/9556 https://www.oscommerce.com/https://www.vulncheck.com/advisories/oscommerce-arbitrary-php-code-execution