Potatowo233

**Name of the Vulnerable Software and Affected Versions** YPay version 1.2.0 **Description** An arbitrary file upload vulnerability allows attackers to execute arbitrary code via a ZIP archive to `themePutFile` in `app/common/util/Upload.php`, which is called from `app/admin/controller/ypay/Home.php`. The file extension of an uncompressed file is not checked. **Recommendations** For YPay version 1.2.0, as a temporary workaround, consider disabling the `themePutFile` function in `app/common/util/Upload.php` until a patch is available. Restrict access to the `Upload.php` module to minimize the risk of exploitation. Avoid using the `themePutFile` function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.