| عنوان | Zend.To Zend.to Before6.10-7 Beta Code Injection |
|---|
| الوصف | Unauthenticated Remote Code Execution vulnerability in Zend.To before 6.10-7 Beta version. A command injection vulnerability was discovered in the NSSDropoff.php file, where user-supplied tmp_name parameters from file uploads are passed unsanitized to exec() calls. This allows unauthenticated attackers to execute arbitrary system commands during file upload. The issue was identified in a publicly available unofficial codebase that mirrors the original Zend.To functionality. |
|---|
| المصدر | ⚠️ https://matheuscezar.github.io/2025/05/24/0-day-in-zend-to.html |
|---|
| المستخدم | pnshbr (UID 19012) |
|---|
| ارسال | 03/06/2025 05:06 AM (1 سنة منذ) |
|---|
| الاعتدال | 09/06/2025 09:02 PM (7 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 311789 [Zend.To حتى 6.10-6 Beta NSSDropoff.php exec file_1 تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|