N/A

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.

N/A

N/A

Gxlcms QY 代码注入漏洞

Gxlcms QY是一套企业网站创建系统。 Gxlcms QY 1.0.0713版本中的Lib\Lib\Action\Admin\UploadAction.class.php文件的‘upload’函数存在代码注入漏洞。远程攻击者可通过将config[upload_class]值从jpg、gif、png、jpeg更改成jpg、gif、png、jpeg、php，然后发送请求利用该漏洞执行任意的PHP代码。

N/A

N/A