CVE-2024-46441

Name of the Vulnerable Software and Affected Versions YPay version 1.2.0

Description An arbitrary file upload vulnerability allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php, which is called from app/admin/controller/ypay/Home.php. The file extension of an uncompressed file is not checked.

Recommendations For YPay version 1.2.0, as a temporary workaround, consider disabling the themePutFile function in app/common/util/Upload.php until a patch is available. Restrict access to the Upload.php module to minimize the risk of exploitation. Avoid using the themePutFile function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.