CVE-2024-0352
Description
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250120.
Artificial Intelligence Decryption
CVE-2024-0352 is a critical vulnerability identified in the Likeshop e-commerce platform, specifically affecting versions up to 2.5.7.20210311. This vulnerability is rooted in the function FileServer::userFormImage, which resides within the server/application/api/controller/File.php file. The nature of the vulnerability arises from improper handling of HTTP POST requests, specifically relating to file uploads. Inadequate validation mechanisms allow attackers to exploit this flaw, resulting in unrestricted file uploads to the server. Such misconfigurations pose significant security risks, as they can enable attackers to upload malicious files, potentially leading to further compromise of the system.
The implications of CVE-2024-0352 are substantial, primarily due to its ability to be exploited remotely. Attackers can leverage this vulnerability without needing to authenticate, making it particularly dangerous. Once an attacker successfully uploads a malicious file, they could execute arbitrary code on the server, gain unauthorized access to sensitive information, or manipulate the application's behavior. The ability to conduct such actions remotely amplifies the risk, as the attack surface expands beyond the local network and can target any instance of the affected software exposed to the internet.
In response to the disclosure of CVE-2024-0352, it is crucial for organizations using affected versions of Likeshop to take immediate action. This includes updating to a patched version that resolves the vulnerability, ensuring robust security measures are in place for file uploads, such as implementing file type validation, size restrictions, and content scanning. Additionally, monitoring systems for unusual file activity can help detect and mitigate any exploitation attempts. The critical nature of this vulnerability necessitates swift remediation to protect against potential exploitation and to safeguard the integrity of user data and system functionality.
- CVSS Version 3.1
- CVSS Version 3.0
- CVSS Version 2.0
CVE ID: CVE-2024-0352
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9
CVE ID: CVE-2024-0352
Base Score: 7.3
Base Severity: HIGH
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Impact Score: 3.4
Exploitability Score: 3.9
CVE ID: CVE-2024-0352
Base Score: 7.3
Base Severity: HIGH
Vector String:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE ID: CVE-2024-0352
Base Score: 7.5
Base Severity: HIGH
Vector String:AV:N/AC:L/Au:N/C:P/I:P/A:P
Proof Of Concept
Nuclei Templates for CVE-2024-0352
Refrence: Project Discovery GitHub
Cappricio-Securities
Likeshop < 2.5.7.20210311 - Arbitrary File Upload
Refrence: GitHub