CVE-2018-12256
Description
Authenticated users can upload arbitrary files as vQmods in LiteCart <2.1.3, leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can upload arbitrary files as vQmods in LiteCart <2.1.3, leading to RCE.
Vulnerability
In LiteCart before version 2.1.3, the file admin/vqmods.app/vqmods.inc.php only validates the Content-Type header (text/xml or application/xml) when uploading vQmod files, but does not verify the actual file content. This allows an authenticated attacker to upload a malicious file (e.g., a PHP script) by simply setting the correct Content-Type [1].
Exploitation
An attacker with valid admin credentials can send a POST request to public_html/admin/?app=vqmods&doc=vqmods with a file containing arbitrary PHP code and the Content-Type set to text/xml or application/xml. The file is saved into the vqmod/xml/ directory, where it can be executed if accessed directly [1].
Impact
Successful exploitation results in remote code execution on the web server with the privileges of the web server process. This can lead to full compromise of the application and underlying server [1].
Mitigation
The issue is fixed in LiteCart version 2.1.3. The fix validates the uploaded file using DOMDocument::loadXML() and checks for the presence of a ` tag, ensuring only valid vQmod XML files are accepted. Additionally, the filename is forced to have a .xml` extension. No workarounds are available for unpatched versions [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application did not properly validate uploaded XML files before processing them, allowing for arbitrary file uploads."
Attack vector
A remote authenticated attacker can upload a malicious file by sending a request to `public_html/admin/?app=vqmods&doc=vqmods` with the Content-Type set to `text/xml` or `application/xml`. This bypasses the original check for file types and allows for remote code execution [ref_id=1].
Affected code
The vulnerability exists in the `admin/vqmods.app/vqmods.inc.php` file. The original code checked the file's MIME type, but the patch replaces this with a more robust XML and vQmod structure validation using `DOMDocument` [ref_id=1].
What the fix does
The patch modifies the file upload handling for vQmods. Instead of solely checking the Content-Type, the code now uses `DOMDocument` to parse the uploaded file and verifies that it contains valid XML and the expected vQmod structure. This prevents the upload of arbitrary files by ensuring only valid vQmod XML files are processed [ref_id=1].
Preconditions
- authThe attacker must be authenticated with sufficient privileges to access the vQmods administration interface.
- inputThe attacker must be able to control the Content-Type header of the upload request.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/litecart/litecart/commit/2305368eb70a26cab34c772c9ae88787f4c3e669mitrex_refsource_CONFIRM
- www.litecart.net/downloadmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.