CVE-2024-56829

Name of the Vulnerable Software and Affected Versions Huang Yaoshi Pharmaceutical Management Software versions through 16.0

Description The issue allows for arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to "/XSDService.asmx". This enables potential attackers to upload malicious files, which could lead to further exploitation.

Recommendations For versions through 16.0, consider disabling the UploadFile element in SOAP requests to "/XSDService.asmx" until a patch is available. Restrict access to the /XSDService.asmx endpoint to minimize the risk of exploitation. Avoid using the fileName element with .asp filenames in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.