3 matches found
CVE-2022-35857
CVE-2022-35857 affects kvf-admin up to 2022-02-12. Root cause: deserialization of data mishandled; rememberMe cookie is encrypted with a hardcoded key from com.kalvin.kvf.common.shiro.ShiroConfig, enabling remote code execution per cited sources. Public references describe the vulnerability in kv...
CVE-2024-9280
CVE-2024-9280 affects kalvinGit kvf-admin (up to commit f12a94dc1ebb7d1c51ee978a85e4c7ed75c620ff). The root cause is in FileUploadKit.java: the fileUpload function allows unrestricted uploads by manipulating the file argument, enabling remote exploitation. Public exploit exists. No versioned fix ...
CVE-2024-9291
CVE-2024-9291 concerns kalvinGit kvf-admin (XML File Handler). The vulnerability affects the file "/ueditor/upload?configPath=ueditor/config.json&action=uploadfile" where manipulation of the upfile argument enables cross-site scripting. It can be exploited remotely, and the exploit has been discl...