osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
Security readout for executives and security teams
Plain-English summary
This is a critical remote code execution issue in older osCommerce installations. The supplied sources say the admin file manager can allow an unauthenticated attacker to place PHP code on the server and have it run. For a business, a vulnerable public store could become a full server compromise risk.
Executive priority
Prioritize this as urgent for any legacy osCommerce estate. The business impact could include website takeover, payment environment exposure, malware hosting, or broader server compromise. If osCommerce is not present, document non-exposure and monitor asset inventory.
Technical view
CVE-2009-20006 is described as unrestricted upload/edit behavior in osCommerce admin/file_manager.php through version 2.2 RC2a, mapped to CWE-434. The bundle reports CVSS 4.0 score 9.3 with network, low-complexity, no-privilege, no-user-interaction exploitation characteristics. Public exploit references exist, but the bundle does not establish active exploitation.
Likely exposure
Exposure is most likely in legacy osCommerce deployments, especially internet-facing stores running versions up to and including 2.2 RC2a with the administrative file manager reachable.
Exploitation context
The sources include Metasploit and Exploit-DB references, so public exploit material exists. The bundle says KEV is false and provides no cited evidence of active exploitation. Treat exploitation as credible but do not claim confirmed in-the-wild activity from these sources.
Researcher notes
The provided affected data is sparse, with the structured affected version listed as “0” while the description names versions through 2.2 RC2a. Use the narrative version range cautiously and verify locally. Public exploit references support exploitability, not confirmed active exploitation.
Mitigation direction
Identify any osCommerce installations and confirm whether they are at or below 2.2 RC2a.
Check current osCommerce or hosting-provider guidance before applying product-specific fixes.
Remove, replace, or isolate legacy osCommerce systems that cannot be remediated.
Restrict public access to administrative paths while remediation is assessed.
Review web roots for unexpected PHP files or recent unauthorized changes.
Validation and detection
Inventory public web assets for osCommerce fingerprints and exposed admin paths.
Confirm installed osCommerce version from application files or administrative records.
Review web server logs for access to admin/file_manager.php.
Search application directories for unexpected PHP files and recent timestamp changes.
Validate whether administrative file management is reachable without intended controls.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-434: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-434 · source CWE mapping
Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.