CVE-2007-1477 : Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommer

Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation

Published 2007-03-16 21:19:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2007-1477

Oscommerce » Php Point Of Sale » Version: 1.1
cpe:2.3:a:oscommerce:php_point_of_sale:1.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2007-1477

EPSS FAQ

0.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2007-1477

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2007-1477

http://www.securityfocus.com/archive/1/462970/100/0/threaded
http://securityreason.com/securityalert/2426

PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vuln - CXSecurity.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/33006

Vulnerability Report
http://attrition.org/pipermail/vim/2007-April/001564.html

[VIM] FALSE -> PHP Point of Sale (osCommerce) LFI

Jump to

Vulnerability Details : CVE-2007-1477

Products affected by CVE-2007-1477

Exploit prediction scoring system (EPSS) score for CVE-2007-1477

CVSS scores for CVE-2007-1477

References for CVE-2007-1477