Back to KEVs

CVE-2024-0352

Likeshop HTTP POST Request File.php userFormImage unrestricted upload

Basic Information

CVE State
PUBLISHED
Reserved Date
January 09, 2024
Published Date
January 09, 2024
Last Updated
August 01, 2024
Vendor
n/a
Product
Likeshop
Description
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250120. In Likeshop bis 2.5.7.20210311 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion FileServer::userFormImage der Datei server/application/api/controller/File.php der Komponente HTTP POST Request Handler. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS Scores

CVSS v3.1

7.3 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v3.0

7.3 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2.0

7.5 -

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
90.68% (Percentile: 99.58%) as of 2025-04-29

Exploit Status

Exploited in the Wild
Yes (added 2025-04-23 00:00:00 UTC) Source

References

https://vuldb.com/?id.250120 https://vuldb.com/?ctiid.250120 https://note.zhaoj.in/share/ciwYj7QXC4sZ

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-04-23 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-0352.yaml 2025-04-26 00:00:00 UTC