cbcvebase.
CVE-2017-12929
published 2017-09-21

CVE-2017-12929: Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to…

PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.08%
95.1th percentile
Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.

Detection & IOCsextracted from sources · hover to see the quote

path/resource.php
path/resource/source/shell.php
commandhttp://host/resource/source/shell.php?c=id
  • Monitor HTTP POST requests to /resource.php for file uploads containing PHP content — successful exploitation results in a PHP webshell dropped under /resource/source/
  • Detect GET requests to /resource/source/*.php with a query parameter (e.g., ?c=) as an indicator of webshell command execution
  • Process execution as www-data spawned from a web server process is a post-exploitation indicator for this vulnerability
  • Google dork 'DlxSpot - Player4' can be used to identify exposed vulnerable instances on the internet
  • ·Exploitation requires prior authentication; however, a linked SQL injection vulnerability (CVE-2017-12930) allows authentication bypass via the admin login, enabling unauthenticated chaining to this file upload RCE
  • ·A hardcoded SSH backdoor account (CVE-2017-12928) exists on all known versions, providing an alternative initial access path that can be chained with this vulnerability for full root compromise
  • ·The arbitrary file upload vulnerability affects DLX Spot Player4 versions greater than 1.5.10 running on Linux

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.