CVE-2018-14570

Name of the Vulnerable Software and Affected Versions Niushop B2B2C Multi-business basic version V1.11

Description A file upload issue in the application/shop/controller/member.php file allows remote members to upload .php files to the web server by modifying the filename and file content of an image file, such as one with a Content-Type of image/jpeg, and using it in a profile avatar field. This can result in arbitrary code execution when the uploaded .php file is requested.

Recommendations For Niushop B2B2C Multi-business basic version V1.11, consider restricting or disabling the file upload functionality in the member.php file until a patch is available to prevent arbitrary code execution. Additionally, restrict access to the profile avatar field to minimize the risk of exploitation.