| Название | KuERP KuERP <=1.0.4 Post-Authentication Arbitrary File Deletion |
|---|
| Описание | The KuERP System version ≤1.0.4 has a Post-Authentication Arbitrary File Deletion vulnerability in the /application/index/controller/Service.php file. Specifically, the 'del_sn_db' function inappropriately accepts and processes the 'file' parameter, which can be exploited by an authenticated attacker to delete any file on the system, including critical ones like 'index.php', by sending a specially crafted HTTP POST request. |
|---|
| Источник | ⚠️ https://note.zhaoj.in/share/XKxaJTphW6PB |
|---|
| Пользователь | glzjin (UID 59815) |
|---|
| Представление | 21.01.2024 12:10 (2 лет назад) |
|---|
| Модерация | 28.01.2024 16:27 (7 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 252254 [Sichuan Yougou Technology KuERP до 1.0.4 Service.php del_sn_db Файл] |
|---|
| Баллы | 20 |
|---|