4MOSAn GCB Doctor - Unrestricted Upload of File
Description
4MOSAn GCB Doctor’s file upload function has improper user privilege control. A remote attacker can upload arbitrary files including webshell files without authentication and execute arbitrary code in order to perform arbitrary system operations or deny of service attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated file upload in 4MOSAn GCB Doctor <= 20210811(2.0) allows remote attackers to upload arbitrary files including webshells, leading to RCE.
Vulnerability
The file upload function in 4MOSAn GCB Doctor version 20210811(2.0) and earlier lacks proper user privilege control. An attacker can upload arbitrary files, including webshell files, without authentication. This endpoint is exposed without any access control checks [1].
Exploitation
A remote attacker with network access to the GCB Doctor application can send a crafted HTTP request to the file upload endpoint. No authentication or prior privileges are required. The attacker can upload a webshell or other malicious files, then access the uploaded file to execute arbitrary commands [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the server. This can lead to full system compromise, including unauthorized data access, modification, deletion, or denial of service. The CVSS score is 9.8 (Critical) [1].
Mitigation
The vendor released version 20210916(2.0) to fix this issue. Users should update immediately. No workaround is documented in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 4MOSAn/GCB Doctorv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.twcert.org.tw/tw/cp-132-5395-eee40-1.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.