Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)
Vulnerability Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
危险类型文件的不加限制上传
Vulnerability Title
xiaoheiFS 安全漏洞
Vulnerability Description
xiaoheiFS是Danvei个人开发者的一个自托管云服务财务与运营系统。 xiaoheiFS 0.3.15及之前版本存在安全漏洞,该漏洞源于AdminPaymentPluginUpload端点允许管理员上传任意文件至plugins/payment/目录,后台监视器会扫描并立即执行新发现的可执行文件,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A