vendor:
DataCube3
by:
Samy Younsi
6.1
CVSS
HIGH
Unrestricted File Upload, Remote Code Execution
434
CWE
Product Name: DataCube3
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-25830, CVE-2024-25832
CPE: a:f-logic:datacube3:1.0
Platforms Tested: Ubuntu
2022
DataCube3 v1.0 – Unrestricted File Upload Remote Code Execution
The DataCube3 v1.0 software is vulnerable to an unrestricted file upload vulnerability that can lead to remote code execution. An attacker can exploit this to upload malicious files to the server, potentially allowing them to execute arbitrary commands. This exploit also includes a reverse shell chain and information disclosure, such as leaking root passwords.
Mitigation:
To mitigate this vulnerability, it is recommended to restrict file upload capabilities to only allow authorized file types and sizes. Additionally, regularly updating the software and implementing proper access controls can help prevent such exploits.
