VYPR
← All advisories
High severityNVD Advisory· Published Jan 26, 2021· Updated Aug 3, 2024

CVE-2021-3291

CVE-2021-3291

Description

Zen Cart 1.5.7b allows admin-level remote code execution via crafted radio input in the modules edit page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Zen Cart 1.5.7b allows admin-level remote code execution via crafted radio input in the modules edit page.

Vulnerability

Zen Cart 1.5.7b contains a remote code execution vulnerability in the admin modules edit page. The bug arises from the use of eval() on the set_function parameter without proper sanitization, allowing an attacker to inject arbitrary PHP commands [1][4].

Exploitation

An authenticated admin user can inspect the HTML radio input elements on the modules edit page and insert a malicious value that, when processed, leads to OS command execution [1][3]. The vulnerability requires admin-level access to the Zen Cart administration panel.

Impact

Successful exploitation enables an attacker to execute arbitrary operating system commands on the underlying server, potentially leading to full compromise of the e-commerce application and its data [3].

Mitigation

The issue is fixed in commit 7447627 (incorporated into Zen Cart 2.x releases) [4]. Users running version 1.5.7b or earlier should upgrade to a patched version [2].

References
  1. GitHub - KaanaryOverFlow/zencart_auth_rce_poc
  2. GitHub - zencart/zencart: Zen Cart® is a full-function e-commerce application for your website.
  3. NVD - CVE-2021-3291
  4. Fix CVE-2021-3291 · zencart/zencart@7447627

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
zencart/zencartPackagist
< 1.5.7c1.5.7c

Affected products

2

Patches

1
7447627f7148

Fix CVE-2021-3291

https://github.com/zencart/zencartChris BrownFeb 18, 2021via ghsa
commit
1 file changed · +1 1
  • admin/modules.php+1 1 modified
    @@ -331,7 +331,7 @@ function init() {
               foreach($mInfo->keys as $key => $value) {

                 $keys .= '<b>' . $value['title'] . '</b><br>' . $value['description'] . '<br>';

                 if ($value['set_function']) {

-                  eval('$keys .= ' . $value['set_function'] . "'" . $value['value'] . "', '" . $key . "');");

+                  eval('$keys .= ' . $value['set_function'] . '"' . zen_output_string($value['value'], array('"' => '&quot;', '`' => 'null;return;exit;')) . '", "' . $key . '");');

                 } else {

                   $keys .= zen_draw_input_field('configuration[' . $key . ']', htmlspecialchars($value['value'], ENT_COMPAT, CHARSET, TRUE), 'class="form-control"');

                 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.