Invia #259244: gopeak MasterLab ≤v3.3.10 Post-Auth File Uploadinformazioni

Titologopeak MasterLab ≤v3.3.10 Post-Auth File Upload
DescrizioneThe described vulnerability in MasterLab's app/ctrl/admin/User.php file pertains to an insecure file upload mechanism within the add function. This function improperly handles base64-encoded image data for user avatars, accepting the file extension from the decoded content's MIME type without proper validation. An attacker with admin privileges can exploit this by uploading a malicious PHP script disguised as an avatar image. Upon execution, this script could potentially lead to unauthorized actions or access within the system, compromising its security.
Fonte⚠️ https://note.zhaoj.in/share/FE79uijyqmG7
Utente
 glzjin (UID 59815)
Sottomissione28/12/2023 10:03 (2 anni fa)
Moderazione28/12/2023 15:39 (6 hours later)
StatoDuplicato
Voce VulDB249181 [gopeak MasterLab fino a 3.3.10 app/ctrl/admin/User.php add/update Avatar escalationi di privilegi]
Punti0

PrecedenteVisione D'ensembleIl prossimo

Do you want to use VulDB in your project?

Use the official API to access entries easily!