漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
N/A
Vulnerability Description
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
访问控制不恰当
Vulnerability Title
Для национальных платежных систем в Узбекистане 安全漏洞
Vulnerability Description
Для национальных платежных систем в Узбекистане是Shaxzodbek Qambaraliyev个人开发者的一个支付系统解决方案。 Для национальных платежных систем в Узбекистане 2.2.24及之前版本存在安全漏洞,该漏洞源于/payment/api/editable/update端点存在关键漏洞,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A