Submeter #639778: yanyutao0402 ChanCMS V3.3.0 Unauthorized RCEinformação

Títuloyanyutao0402 ChanCMS V3.3.0 Unauthorized RCE
DescriçãoThe search method in app/modules/cms/controller/collect.js,the getArticle method also has a potential remote code execution (RCE) vulnerability. It gets the parseData from the request body and then uses new Function() to execute it. Although the code tries to clean up parseData using safeExecuteUserFunction, this blacklisting method is usually unreliable. An attacker may find ways to bypass filtering and thus execute arbitrary JavaScript code. Since this is executed on the server side, it is an RCE vulnerability.
Fonte⚠️ https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e6.md
Utilizador
 Yu_Bao (UID 89348)
Submissão22/08/2025 12h17 (há 10 meses)
Moderação10/09/2025 12h24 (19 days later)
EstadoDuplicado
Entrada VulDB317857 [yanyutao0402 ChanCMS até 3.1.2 collect.js getArticle targetUrl Elevação de Privilégios]
Pontos0

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!