Описание
EverShop 2.0.1 allows an unauthenticated user to upload files and create directories within the /api/images endpoint.
EverShop 2.0.1 allows an unauthenticated user to upload files and create directories within the /api/images endpoint.
Связанные уязвимости
CVSS3: 7.5
nvd
2 месяца назад
EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space.