PT-2022-16793 · Hybbs2 · Hybbs2

Shmilyltyo

Published

2022-02-08

Updated

2022-02-11

CVE-2022-24676

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HYBBS2 versions 2.3.2 and earlier

Description The issue allows for arbitrary file upload via a crafted ZIP archive. This is possible due to a problem in the update code function in Admin.php.

Recommendations For HYBBS2 versions 2.3.2 and earlier, consider disabling the update code function in Admin.php to prevent arbitrary file uploads until a fix is available. Restrict access to the Admin.php file to minimize the risk of exploitation. Avoid using the update code function until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2022-24676

Affected Products

Hybbs2

PT-2022-16793 · Hybbs2 · Hybbs2

CVE-2022-24676

Weakness Enumeration

Related Identifiers

Affected Products

References · 5