CVE-2018-17139

Name of the Vulnerable Software and Affected Versions UltimatePOS version 2.5

Description The issue allows users to upload arbitrary files, leading to remote command execution. This can be achieved by posting to the "/products" API endpoint with PHP code in a .php file, disguised as an image/jpeg content type.

Recommendations For UltimatePOS version 2.5, consider restricting file uploads to only allow specific, necessary file types, and ensure that uploaded files are properly validated and sanitized to prevent remote command execution. As a temporary workaround, consider disabling the file upload feature until a patch is available.