Unrated severityNVD Advisory· Published Mar 2, 2020· Updated Aug 5, 2024

CVE-2018-17058

Description

An issue was discovered in JABA XPress Online Shop through 2018-09-14. It contains an arbitrary file upload vulnerability in the picture-upload feature of ProductEdit.aspx. An authenticated attacker may bypass the frontend filename validation and upload an arbitrary file via FileUploader.aspx.cs in FileUploader.aspx by using empty w and h parameters. This file may contain arbitrary aspx code that may be executed by accessing /Jec/ProductImages//. Accessing the file once uploaded does not require authentication.

Affected products

JABA/XPress Online Shopdescription
JABA/XPress Online Shopllm-create
Range: <=2018-09-14

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cyber-crime.ru/cve/CVE-2018-17058.htmlmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000