| tiêu đề | gopeak MasterLab ≤v3.3.10 Post-Auth File Upload |
|---|
| Mô tả | A critical file upload vulnerability was discovered in the MasterLab platform, specifically within the update function of the app/ctrl/admin/User.php file, which affects versions up to v3.3.10. The vulnerability, identified by glzjin, allows attackers to execute remote code by uploading a malicious avatar image encoded in base64 format. The flaw lies in the improper handling of file extensions within the UploadLogic::base64ImageContent method, which trusts the file type declared in plaintext. Attackers exploiting this vulnerability can gain unauthorized access and potentially take control of the affected server, making it a severe security risk that requires immediate attention and patching. |
|---|
| Nguồn | ⚠️ https://note.zhaoj.in/share/jNbywlXI46HV |
|---|
| Người dùng | glzjin (UID 59815) |
|---|
| Đệ trình | 28/12/2023 09:55 (cách đây 2 những năm) |
|---|
| Kiểm duyệt | 28/12/2023 15:39 (6 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 249181 [gopeak MasterLab đến 3.3.10 app/ctrl/admin/User.php add/update Ảnh đại diện nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|