KEVIntel
Back to KEVs
7.3
CVSS
High

CVE-2024-0352

PUBLISHED

Likeshop HTTP POST Request File.php userFormImage unrestricted upload

Exploited in the wild Remote Low complexity No user interaction
Vendor
Likeshop
Product
Likeshop
Published
Jan 09, 2024
EPSS

Description

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250120. In Likeshop bis 2.5.7.20210311 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion FileServer::userFormImage der Datei server/application/api/controller/File.php der Komponente HTTP POST Request Handler. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

php nuclei_scanner

CVSS scores

CVSS v3.1 7.3 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v3.0 7.3 High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2.0 7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2025-04-23 00:00:00 UTC · Source

SSVC decision points

Exploitation
none
Automatable
Yes
Technical impact
partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) Apr 23, 2025

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-0352.yaml Apr 25, 2025

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei