| Titel | ZhiHuiYun ZhiHuiYun <=4.4.13 Arbitrary File Upload |
|---|
| Beschreibung | ZhiHuiYun, version 4.4.13 and earlier, is found to have an Arbitrary File Upload vulnerability in the ImageController.php file. Specifically, the function 'download_network_image' downloads and saves files from a URL to the server without proper validation or restrictions. An attacker can exploit this by hosting a malicious PHP file on their own server, then sending a request to download that file. The application does not prevent the download and storage of the malicious file, which can then be located using the search function. This vulnerability could allow an attacker to upload and execute arbitrary code on the server, potentially leading to full system compromise. |
|---|
| Quelle | ⚠️ https://note.zhaoj.in/share/jC6NMe5TRSys |
|---|
| Benutzer | glzjin (UID 59815) |
|---|
| Einreichung | 14.01.2024 17:50 (vor 2 Jahren) |
|---|
| Moderieren | 17.01.2024 14:58 (3 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 251375 [ZhiHuiYun bis 4.4.13 Search ImageController.php download_network_image url erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|