CuteFlow Arbitrary File Upload Vulnerability Allowing Remote Code Execution

An arbitrary file upload vulnerability has been identified in CuteFlow versions through 2.11.2. The issue resides in the 'restart_circulation_values_write.php' script, where the application fails to properly validate or restrict uploaded file types. This flaw allows unauthenticated attackers to upload arbitrary PHP files to the 'upload/___1/' directory. Once uploaded, these files can be accessed via the web server, enabling remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, leading to remote code execution.

Reproduction

The vulnerability can be reproduced by uploading a PHP file containing a payload, such as a script that executes system commands, through the 'restart_circulation_values_write.php' page. After the file is uploaded to the 'upload/___1/' directory, it can be accessed and executed via the web server.