An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.
The /views/plugin.php component does not properly validate the type or content of uploaded files. An attacker can upload a crafted PHP file (such as a webshell or payload) which will be saved on the server. After upload, the file can be executed via a browser or other HTTP request, resulting in arbitrary code execution on the server side.
An attacker can gain full control over the server — read, modify or delete data, as well as execute arbitrary system commands (RCE). This can lead to a complete breach of the system's confidentiality, integrity, and availability.
Patches available from the vendor should be applied according to the references. Until updates are deployed, it is recommended to restrict access to the /views/plugin.php component at the firewall or web server level and monitor uploaded files for suspicious extensions.
Emlog Pro version 2.5.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEmlog
APPEmlog2.5.7
Related vulnerabilities
Emlog: nieautoryzowany upload pliku PHP przez REST API — RCE
Emlog Pro – arbitralne usuwanie plików przez path traversal
Emlog Pro – dowolne przesyłanie plików umożliwiające RCE (admin/plugin.php)
An arbitrary file upload vulnerability in the component /admin/plugin.php of Emlog Pro v2.2.0 allows attackers...
An arbitrary file upload vulnerability in the component /content/templates/ of Emlog Pro v2.2.0 allows attacke...