Hi, i have metabase deployed on docker and while i was running some vulnerability scans in openVAS, on mind you latest version i have installed about an hour ago i got this:
Summary
Online Merchant module for osCommerce is prone to a remote arbitrary-file-upload vulnerability because it fails to sufficiently sanitize user-supplied input.
Detection Result
Vulnerable URL: http://[ip]:3000/admin/file_manager.php/login.php?action=save
Note :
It was possible to upload and execute a file on the remote webserver.
The file is placed in directory: ""
and is named: "OpenVASVT1870614298.php"
You should delete this file as soon as possible!
Detection Method
| Details: | osCommerce Online Merchant <= 2.2 'file_manager.php' Remote Arbitrary ... OID: 1.3.6.1.4.1.25623.1.0.100661 |
|---|---|
| Version used: | 2025-09-18T07:38:39+01:00 |
| undefined | ---- |
Affected Software/OS
Online Merchant 2.2 is vulnerable. Other versions may also be affected.
Impact
Attackers can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation. Other attacks are also possible.
Solution
Solution Type:
Workaround
Delete the file 'file_manager.php' in your 'admin' directory.
References
My question is what to do with this?