| tiêu đề | ZhiHuiYun ZhiHuiYun <=4.4.13 Arbitrary File Upload |
|---|
| Mô tả | ZhiHuiYun, version 4.4.13 and earlier, is found to have an Arbitrary File Upload vulnerability in the ImageController.php file. Specifically, the function 'download_network_image' downloads and saves files from a URL to the server without proper validation or restrictions. An attacker can exploit this by hosting a malicious PHP file on their own server, then sending a request to download that file. The application does not prevent the download and storage of the malicious file, which can then be located using the search function. This vulnerability could allow an attacker to upload and execute arbitrary code on the server, potentially leading to full system compromise. |
|---|
| Nguồn | ⚠️ https://note.zhaoj.in/share/jC6NMe5TRSys |
|---|
| Người dùng | glzjin (UID 59815) |
|---|
| Đệ trình | 14/01/2024 17:50 (cách đây 2 những năm) |
|---|
| Kiểm duyệt | 17/01/2024 14:58 (3 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 251375 [ZhiHuiYun đến 4.4.13 Search ImageController.php download_network_image url nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|