Ab-Alex

Name of the Vulnerable Software and Affected Versions: Pear Admin Think through version 2.1.2 Description: The issue allows attackers to execute arbitrary code remotely due to an arbitrary file upload vulnerability. This is possible because a .php file can be uploaded via the "admin.php/index/upload" endpoint, as the `fileExt` is mishandled by the `UploadService.php` in the `app/common/service` directory. Recommendations: For version 2.1.2, consider disabling the upload functionality in `UploadService.php` until a patch is available to prevent the execution of arbitrary code. Restrict access to the "admin.php/index/upload" endpoint to minimize the risk of exploitation.