Login Sign Up

CVE-2024-57668

8.8 HIGH

📋 TL;DR

Code-projects Shopping Portal v1.0 has an arbitrary file upload vulnerability in insert-product.php that allows attackers to upload malicious files to the server. This affects all deployments of this specific PHP shopping portal software. Attackers could potentially execute arbitrary code on the server.

💻 Affected Systems

Products:
  • Code-projects Shopping Portal
Versions: v1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of v1.0 are vulnerable. The vulnerability is in the core insert-product.php file.

📦 What is this software?

Shopping Portal by Fabian

View all CVEs affecting Shopping Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, and further exploitation of the server.

🟢

If Mitigated

File upload attempts blocked or quarantined with no successful exploitation.

🌐 Internet-Facing: HIGH - The vulnerability is in a web-accessible PHP page that could be exploited remotely.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the application.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of file upload bypass techniques and PHP web shells.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - Check vendor for updated version

Vendor Advisory: https://code-projects.org/shopping-portal-using-php-source-code/

Restart Required: No

Instructions:

1. Download latest version from code-projects.org 2. Replace insert-product.php with patched version 3. Verify file upload validation is implemented 4. Test upload functionality

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side file type validation and restrict uploads to specific extensions

Access Control

all

Restrict access to insert-product.php to authenticated administrators only

🧯 If You Can't Patch

  • Disable file upload functionality in insert-product.php
  • Implement WAF rules to block malicious file upload attempts

🔍 How to Verify

Check if Vulnerable:

Check if insert-product.php exists and allows file uploads without proper validation. Attempt to upload a PHP file with image extension.

Check Version:

Check source code or documentation for version information. The vulnerable version is specifically v1.0.

Verify Fix Applied:

Test file upload with various file types - only allowed extensions should be accepted. PHP files should be blocked regardless of extension.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed upload attempts
  • Uploads of unusual file types
  • Large files uploaded to upload directory

Network Indicators:

  • POST requests to insert-product.php with file uploads
  • Unusual traffic patterns to upload directories

SIEM Query:

source="web_server" AND (uri="/insert-product.php" OR uri LIKE "%/uploads/%") AND (method="POST" OR status=200)

📊 Metadata

CVE ID: CVE-2024-57668
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
EPSS Score: 0.16% exploit probability (37.1th percentile)
Published: February 6, 2025
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57668, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)