Attackers can upload a PHP script to execute code on the server. The file upload feature is enabled by default in Canteen. Note that this issue was discovered in Canteen v1.0.
8. Vimeo Video Library v2.3.1 permits uploading of remote code via upload/index.php file. This vulnerability allows attackers to execute code on the server.
9. Spryker Employee App v7.8.0 has a critical arbitrary file upload vulnerability via upload/index.php. Attackers can upload a malicious PHP script to the server and run it.
V2.3.1 - February 14, 2019
CVE-2022-43277: CVE-2022-43277 is a cross-site scripting vulnerability in Canteen v1.0 that allows attackers to upload and execute remote code on the server. This vulnerability allows attackers to upload a PHP script to execute code on the server. This can be used for RCE.
8. Vimeo Video Library v2.3.1 permits uploading of remote code via upload/index.php file. This vulnerability allows attackers to execute code on the server.
9. Spryker Employee App v7.8.0 has a critical arbitrary file upload vulnerability via upload/index.php, which can be exploited by uploading a malicious PHP script to the server and running it through app/classes/UploadController_Controller_FileUploaderService_IndexAction class method, resulting in arbitrary file read access and run arbitrary commands on the server through shell command execution flaw within app/controllers/MainController_AdminViewRenderer_UploadController::openFile() method of spryker_employee_app_web/controllers/_UploadController class implementation as shown below in vulnerable code snippet:
Timeline
Published on: 11/09/2022 16:15:00 UTC
Last modified on: 11/09/2022 17:03:00 UTC