Login Sign Up

CVE-2024-33438

8.0 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a file upload vulnerability in CubeCart e-commerce software that allows authenticated users to upload malicious .phar files, leading to arbitrary code execution. It affects CubeCart installations before version 6.5.5. Attackers with authenticated access can potentially take full control of affected systems.

💻 Affected Systems

Products:
  • CubeCart
Versions: All versions before 6.5.5
Operating Systems: All platforms running CubeCart
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; affects all default installations of vulnerable versions.

📦 What is this software?

Cubecart by Cubecart

View all CVEs affecting Cubecart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data theft, website defacement, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell installation, data exfiltration, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper file upload restrictions and authentication controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated user access; .phar file upload leads to code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.5

Vendor Advisory: https://forums.cubecart.com/topic/59046-cubecart-655-released-minor-security-update/

Restart Required: No

Instructions:

1. Backup your CubeCart installation and database. 2. Download CubeCart 6.5.5 from the official repository. 3. Replace all files with the new version. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

File Upload Restriction

all

Restrict file uploads to prevent .phar file uploads via web server configuration.

# Apache: Add to .htaccess
<FilesMatch "\.phar$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~ \.phar$ {
    deny all;
}

Authentication Hardening

all

Implement strong authentication controls and monitor user upload activities.

🧯 If You Can't Patch

  • Implement strict file upload validation to block .phar extensions
  • Restrict authenticated user privileges and monitor upload activities

🔍 How to Verify

Check if Vulnerable:

Check CubeCart version in admin panel or by examining the /includes/global.inc.php file for version information.

Check Version:

grep -i 'version' /path/to/cubecart/includes/global.inc.php

Verify Fix Applied:

Verify version is 6.5.5 or later in admin panel or configuration files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with .phar extension
  • Multiple failed upload attempts
  • Suspicious POST requests to upload endpoints

Network Indicators:

  • Unexpected outbound connections from web server
  • Unusual traffic patterns to upload handlers

SIEM Query:

source="web_logs" AND (url="*upload*" AND file_extension=".phar")

📊 Metadata

CVE ID: CVE-2024-33438
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: April 29, 2024
Last Updated: April 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33438, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)