| タイトル | 1Panel-dev MaxKB v1.10.6-lts CWE:1236 |
|---|
| 説明 | An insecure file upload vulnerability was discovered in the Knowledge Base module of MaxKB v1.10.6-lts. The application allows users to upload `.csv`, `.xls`, and other spreadsheet files without properly validating or sanitizing their content. As a result, an attacker can upload a file containing malicious spreadsheet formulas (e.g., starting with `=`, `+`, `-`, or `@`). When other users download and open the file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the malicious payload can be executed, leading to potential security risks including command execution, phishing attacks, or data leakage. |
|---|
| ソース | ⚠️ https://github.com/yaowenxiao721/Poc/blob/main/MaxKB/MaxKB-poc1.md |
|---|
| ユーザー | yaowenxiao (UID 82929) |
|---|
| 送信 | 2025年04月28日 08:23 (1 年 ago) |
|---|
| モデレーション | 2025年05月10日 17:31 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 308293 [1Panel-dev MaxKB 迄 1.10.7 Knowledge Base 特権昇格] |
|---|
| ポイント | 20 |
|---|