Impact
The vulnerability resides in the getCartItems function of the ShoppingCart.php library, where the shopping_cart argument is deserialized without proper validation. Based on the description, an attacker can craft malicious data that triggers PHP's unserialize; this may lead to arbitrary code execution. This weakness is classified under CWE-502 “Deserialization of Untrusted Data” and CWE-20 “Improper Input Validation.”
Affected Systems
This issue affects the kirilkirkov Ecommerce-CodeIgniter-Bootstrap application, specifically all releases up to commit 13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7. The patch to remediate the flaw is available in commit 49b20f53de2b7ec34e920b11c863f1491d911a04.
Risk and Exploitability
The CVSS score of 8.8 classifies the flaw as high severity. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the advisory states that the exploit is publicly disclosed and can be initiated remotely, indicating that remote attackers could potentially exploit the deserialization flaw.
OpenCVE Enrichment