Description
A vulnerability, which was classified as critical, has been found in 74CMS 3.28.0. Affected by this issue is the function sendCompanyLogo of the file /controller/company/Index.php#sendCompanyLogo of the component Company Logo Handler. The manipulation of the argument imgBase64 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257060.
References (3)
Core 3
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.257060
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.257060
Exploit, Third Party Advisory exploit
https://gist.github.com/Southseast/9f5284d8ee0f6d91e72eef73b285512a
Scores
CVSS v3
6.3
EPSS
0.1953
EPSS Percentile
95.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-434
Status
published
Products (1)
74cms/74cms
3.28.0
Published
Mar 17, 2024
Tracked Since
Feb 18, 2026