exploitDog

CVE-2024-58313

Опубликовано: 11 дек. 2025

Источник: nvd

CVSS3: 7.2

EPSS Низкий

Описание

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

Ссылки

https://www.exploit-db.com/exploits/51909
Exploit
Third Party Advisory
VDB Entry
https://www.vulncheck.com/advisories/xbtitfm-insecure-file-upload-in-filehosting-feature
Third Party Advisory
https://xbtitfm.eu
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xbtitfm:xbtitfm:4.1.18:*:*:*:*:*:*:*

EPSS

Процентиль: 36%

0.00153

Низкий

7.2 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-7v2x-vj66-5pgm

CVSS3: 7.2

github

около 2 месяцев назад

xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

EPSS

Процентиль: 36%

0.00153

Низкий

7.2 High

CVSS3

Дефекты

CWE-434