| Название | Greencms https://github.com/GreenCMS/GreenCMS V2.3 arbitrary file deletion |
|---|
| Описание | •The arbitrary file upload vulnerability is a high-risk Web security flaw with extensive impact and severe destructive potential. Attackers can bypass upload verification to implant malicious scripts, trojans, or viruses into servers. Once the upload succeeds, attackers can remotely control the server by accessing the file, steal sensitive data such as user privacy and commercial secrets from databases, and even tamper with website content or embed phishing links to mislead users.
•Furthermore, attackers may exploit server computing power to deploy mining programs and launch DDoS attacks, resulting in server resource exhaustion and business disruption. They could also use malicious files to trick users into downloading them, infiltrating client devices and causing financial losses. This vulnerability exposes enterprises to legal liabilities under cybersecurity laws, severely damaging their brand reputation.
DESCRIPTION
•The /CustomController.class.php file in greencms v2.3 contains an arbitrary file upload vulnerability.
•This flaw arises from the theme addition feature (access path: index.php?m=admin&c=custom&a=themeadd) failing to properly validate and filter uploaded files. Attackers can upload compressed files containing webshells, which the system automatically decompresses into the website's root directory. Subsequently, tools like Godzilla can exploit these webshells to gain server control, resulting in severe security risks such as data breaches and malicious operations, posing significant threats to system security. |
|---|
| Источник | ⚠️ https://github.com/ueh1013/VULN/issues/8 |
|---|
| Пользователь | Blackooo (UID 93743) |
|---|
| Представление | 27.12.2025 11:42 (4 месяцы назад) |
|---|
| Модерация | 28.12.2025 14:11 (1 day later) |
|---|
| Статус | Дубликат |
|---|
| Запись VulDB | 338572 [GreenCMS до 2.3 File DataController.class.php sqlFiles/zipFiles обход каталога] |
|---|
| Баллы | 0 |
|---|