| tiêu đề | gopeak MasterLab ≤v3.3.10 Post-Auth File Upload |
|---|
| Mô tả | The described vulnerability in MasterLab's app/ctrl/admin/User.php file pertains to an insecure file upload mechanism within the add function. This function improperly handles base64-encoded image data for user avatars, accepting the file extension from the decoded content's MIME type without proper validation. An attacker with admin privileges can exploit this by uploading a malicious PHP script disguised as an avatar image. Upon execution, this script could potentially lead to unauthorized actions or access within the system, compromising its security. |
|---|
| Nguồn | ⚠️ https://note.zhaoj.in/share/FE79uijyqmG7 |
|---|
| Người dùng | glzjin (UID 59815) |
|---|
| Đệ trình | 28/12/2023 10:03 (cách đây 2 những năm) |
|---|
| Kiểm duyệt | 28/12/2023 15:39 (6 hours later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 249181 [gopeak MasterLab đến 3.3.10 app/ctrl/admin/User.php add/update Ảnh đại diện nâng cao đặc quyền] |
|---|
| điểm | 0 |
|---|