CVE-2019-17188

Name of the Vulnerable Software and Affected Versions Fecshop FecMall version 2.3.4

Description An issue was found where an attacker can bypass front-end restrictions and upload PHP code to the webserver. This is done by providing image data with a .php extension and the image/jpeg content type. The issue arises because the code relies on the getimagesize function.

Recommendations For Fecshop FecMall version 2.3.4, consider restricting access to the catalog/productinfo/imageupload endpoint to prevent unauthorized file uploads until a patch is available. As a temporary workaround, disabling the image upload functionality can help minimize the risk of exploitation.