You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found a remote command execution vulnerability in the RfExample plugin in the official plugin market.
In the actionCutImage() function of VideoController.php, the load method in the Modle class gets the post data:
Then $modle->video is parsed in getLocalFilePath; video is also CutImageForm['video'], which is discovered by debugging
CutImageForm['video'] is controllable and a malicious user can write malicious commands on the front end by controlling this value
Here are the results:
The text was updated successfully, but these errors were encountered:
We found a remote command execution vulnerability in the RfExample plugin in the official plugin market.
In the actionCutImage() function of VideoController.php, the load method in the Modle class gets the post data:
Then $modle->video is parsed in getLocalFilePath; video is also CutImageForm['video'], which is discovered by debugging
CutImageForm['video'] is controllable and a malicious user can write malicious commands on the front end by controlling this value
Here are the results:
The text was updated successfully, but these errors were encountered: