Primary

Context

IdeaCMS Unrestricted File Upload Vulnerability in SaveUpload Function

Vulnerability

A critical unrestricted file upload vulnerability has been identified in IdeaCMS versions through 1.6. The issue arises in the saveUpload function, where improper input validation allows for the upload of files with dangerous extensions. This vulnerability can be exploited remotely, potentially leading to the execution of uploaded web shells with server permissions.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to upload malicious files such as web shells that execute on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/config/saveUpload.html' endpoint with the 'uptype' parameter set to include a file extension that is normally blocked, such as 'php'. The 'uplocation' parameter can be set to '1' for local uploads. After the upload is processed, the uploaded file can be accessed through the application's upload directory.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

IdeaCMS Unrestricted File Upload Vulnerability in SaveUpload Function

Vulnerability

Impact

Reproduction

Affected Products

IdeaCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating