Remote code execution (RCE) by unprivileged user because of custom deserialization of untrusted data

Moderate

Michael-Herzog published GHSA-r582-pv79-8f8v

Nov 23, 2020

Package

No package listed

Affected versions

< 4.1.0

Patched versions

4.1.0

Description

Impact

This vulnerability affects Smartstore shops prior version 4.1.0 where user uploads are enabled.

Patches

This vulnerability is closed in version 4.1.0.

Workarounds

Disable all user upload possibilities > avatar uploads & attribute uploads.