CVE-2024-25801

Name of the Vulnerable Software and Affected Versions SKINsoft S-Museum version 7.02.3

Description The issue allows for arbitrary code execution via a crafted PDF file uploaded through the Add Media function. Additionally, it is possible to execute a cross-site scripting (XSS) attack by manipulating the filename of an uploaded file. The attack payload for the XSS is contained within the filename, not the file content.

Recommendations For SKINsoft S-Museum version 7.02.3, consider disabling the file upload functionality in the Add Media function until a patch is available. As a temporary workaround, restrict the types of files that can be uploaded to minimize the risk of exploitation. Avoid using the Add Media function with untrusted files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.