Primary

Context

Yue Lao Blind Box Unrestricted File Upload Vulnerability in Upload.php

Vulnerability

A critical unrestricted file upload vulnerability has been identified in Yue Lao Blind Box versions through 4.0. The issue arises in the 'base64image' function within 'Upload.php', where the 'data' argument can be manipulated to upload files without restriction. This vulnerability can be exploited remotely, and details of the exploit are publicly available.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could lead to the execution of malicious files on the server.

Reproduction

The vulnerability can be reproduced by encoding a file, such as a PHP script, in Base64 and uploading it through the application's file upload feature. The 'data' parameter, which is an array, is processed by the 'base64image' function. The uploaded file is saved without proper validation of its type or extension, allowing potentially harmful files to be executed on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yue Lao Blind Box Unrestricted File Upload Vulnerability in Upload.php

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating