IMPORTANT! Critical Vulnerability Reported in Maian Cart
This is important if you are running Maian Cart on your servers.
A severe vulnerability has been kindly reported to me by security advisor DreyAnd. The issue concerns the elFinder file manager plugin in Maian Cart and it affects all versions from 3.0 to 3.8. This issue will be made public in 2 weeks, so please update your installations.
The issue enables a potential hacker to bypass the cart admin restrictions and execute a RCE (remote code execution) on your server. It should be considered high risk and be fixed immediately. If you are running a version older than 3.0, you are not affected.
The elFinder file manager plugin had already been removed in the upcoming 3.9 release of Maian Cart (it was removed before the issue was reported), so future versions will always be safe. To make your existing installation secure simply delete the following directory from your installations of Maian Cart.
If you were using the download manager in your admin area, simply manage the downloads via ftp.
Maian Media would like to thank DreyAnd for his discretion in reporting this issue. As mentioned previously, you have 2 weeks to secure your installations before the issue is made public.
David - Lead Developer (Maian Media)