An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/Home.php). The file extension of an uncompressed file is not checked.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00304}

epss

{'score': 0.00329}


Fri, 27 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Kacins
Kacins ypay
Weaknesses CWE-434
CPEs cpe:2.3:a:kacins:ypay:1.2.0:*:*:*:*:*:*:*
Vendors & Products Kacins
Kacins ypay
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 12:45:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in YPay 1.2.0 allows attackers to execute arbitrary code via a ZIP archive to themePutFile in app/common/util/Upload.php (called from app/admin/controller/ypay/Home.php). The file extension of an uncompressed file is not checked.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-09-27T14:35:01.426Z

Reserved: 2024-09-11T00:00:00

Link: CVE-2024-46441

cve-icon Vulnrichment

Updated: 2024-09-27T14:33:07.518Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-27T13:15:13.397

Modified: 2024-09-30T12:45:57.823

Link: CVE-2024-46441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.