Submeter #566517: 1Panel-dev MaxKB v1.10.6-lts CWE:1236informação

Título1Panel-dev MaxKB v1.10.6-lts CWE:1236
DescriçãoAn insecure file upload vulnerability was discovered in the Knowledge Base module of MaxKB v1.10.6-lts. The application allows users to upload `.csv`, `.xls`, and other spreadsheet files without properly validating or sanitizing their content. As a result, an attacker can upload a file containing malicious spreadsheet formulas (e.g., starting with `=`, `+`, `-`, or `@`). When other users download and open the file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the malicious payload can be executed, leading to potential security risks including command execution, phishing attacks, or data leakage.
Fonte⚠️ https://github.com/yaowenxiao721/Poc/blob/main/MaxKB/MaxKB-poc1.md
Utilizador
 yaowenxiao (UID 82929)
Submissão28/04/2025 08h23 (há 1 Ano)
Moderação10/05/2025 17h31 (12 days later)
EstadoAceite
Entrada VulDB308293 [1Panel-dev MaxKB até 1.10.7 Knowledge Base Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!