This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Likeshop suffers from an **Unrestricted File Upload** vulnerability.β¦
π‘οΈ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). The flaw lies in `server/application/api/controller/File.php`, specifically the `userFormImage` function.β¦
π¦ **Affected**: **Likeshop** (Social Commerce Solution). Specifically versions **2.5.7.20210311 and earlier**. The vulnerable component is the API controller handling HTTP POST requests for file uploads.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: With **no authentication** required, hackers can upload backdoors.β¦
β‘ **Exploitation Threshold**: **LOW**. The CVSS vector shows **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges Required), **UI:N** (No User Interaction). It is an easy, automated attack vector.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploits**: **YES**. Active PoCs exist on GitHub (e.g., `Cappricio-Securities/CVE-2024-0352`) and are integrated into **ProjectDiscovery Nuclei** templates. Wild exploitation is highly likely.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for Likeshop instances. Use Nuclei templates for CVE-2024-0352.β¦
π§ **No Patch Workaround**: If you cannot upgrade immediately: 1. **Block** the upload API endpoint via WAF or firewall. 2. **Restrict** file extensions on the server side to allow only images (jpg, png). 3.β¦
π₯ **Urgency**: **CRITICAL**. Due to **CVSS High Score**, **No Auth** requirement, and **Public PoCs**, this is an immediate threat. Prioritize patching or applying WAF rules **TODAY** to prevent automated botnet attacks.