CVE-2021-27964

CRITICAL EXPLOITED NUCLEI

SonLogger - Arbitrary File Upload

Title source: nuclei

Description

SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Berkan Er · rubywebappsmultiple

https://www.exploit-db.com/exploits/49651

View Code ZIP pw:eip

Nuclei Templates (1)

SonLogger - Arbitrary File Upload

CRITICALby DhiyaneshDK

FOFA: body="SonLogger"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/161793/SonLogger-4.2.3.3-Shell-Upload.html

[Exploit, Third Party Advisory] https://github.com/erberkan/SonLogger-vulns

[Release Notes, Vendor Advisory] https://www.sonlogger.com/releasenotes

Scores

CVSS v3 9.8

EPSS 0.8213

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-22

CWE

CWE-434

Status published

Products (1)

sfcyazilim/sonlogger < 6.4.1

Published Mar 05, 2021

Tracked Since Feb 18, 2026