RSS   Podatności dla 'Laiketui'   RSS

2021-06-15
 
CVE-2021-34128

CWE-434
 

 
LaikeTui 3.5.0 allows remote authenticated users to execute arbitrary PHP code by using index.php?module=system&action=pay to upload a ZIP archive containing a .php file, as demonstrated by the ../../../../phpinfo.php pathname.

 
 
CVE-2021-34129

CWE-22
 

 
LaikeTui 3.5.0 allows remote authenticated users to delete arbitrary files, as demonstrated by deleting install.lock in order to reinstall the product in an attacker-controlled manner. This deletion is possible via directory traversal in the uploadImg, oldpic, or imgurl parameter.

 


Copyright 2021, cxsecurity.com

 

Back to Top