Advisory for: Hikashop for Joomla!
Security Risk: High (DREAD score : 7/10)
Vulnerability: Object Injection / Remote Code Execution
Updated Version: 2.3.2
In a routine audit of our Website Firewall we discovered a serious vulnerability within the Hikashop ecommerce product for Joomla! allowing remote code execution on the vulnerable website[s].
What Is At Risk?
This vulnerability affects Joomla! websites running Hikashop (< 2.3.2). It requires open account registration with email activation, which is the default configuration. In this particular case, a malicious user can remotely execute commands on the site (RCE), allowing them to do things like read any configuration file, modify files, and / or insert malware.