Research: PHP Object Injection in The Marketer OpenCart module

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in The Marketer OpenCart module.

There are Gadget Chains available in Opencart - including a few that I found and submitted to the PHPGGC project:

https://github.com/ambionics/phpggc/pull/199 (not yet merged).

The vulnerability in The Marketer module, combined with these Gadget Chains, allows remote unauthenticated RCE so it got a very high CVSS score.

Full details: https://gist.github.com/mcdruid/4434f7cd5e105e20e12b60fd6614ca12

MITRE have assigned CVE-2024-56927