This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter. Then, it will trigger the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, that will copy the uploaded PHP script to the given webroot directory. Finally, it will deploy the agent by calling the PHP script in the webroot directory. It's important to notice that the apache user account (www-data) must have write access to the webroot directory for this exploit to work. The deployed agent will run with the apache user account (www-data) privileges.
CVE Link
Exploit Platform
Exploit Type
Product Name