CVE-2021-34128

Name of the Vulnerable Software and Affected Versions LaikeTui version 3.5.0

Description The issue allows remote authenticated users to execute arbitrary PHP code by uploading a ZIP archive containing a .php file. This can be achieved by using the "index.php?module=system&action=pay" endpoint to upload the malicious ZIP archive. For example, using the ../../../../phpinfo.php pathname. The vulnerability exists due to insufficient input validation in the ZIP Archive Handler component.

Recommendations For LaikeTui version 3.5.0, consider disabling the module=system&action=pay functionality in the "index.php" endpoint until a patch is available to prevent the upload of malicious ZIP archives. Restrict access to the ZIP Archive Handler component to minimize the risk of exploitation. Avoid using the module and action parameters in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.