Drupal Alternativecommerce Basket
Monthly
PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.
PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.