CVE-2024-34982
published 2024-05-17CVE-2024-34982: An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.67%
90.6th percentile
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lylme | lylme_spage | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othericon_hash="-282504889"
- →Detect POST requests to /include/file.php with multipart/form-data containing a .php filename in the Content-Disposition header — this is the exploit upload endpoint.
- →A successful upload response contains all four JSON keys: '"code":', '"msg":', '"url":', and 'php"}' — match all four to confirm exploitation.
- →After upload, the server returns a JSON body with a 'url' field matching the regex '"url":"([/a-z_0-9.]+)"' — extract this path and issue a GET to verify code execution.
- →Verify RCE by GETting the uploaded file path and confirming the response Content-Type is text/html (PHP executed), not an image type.
- →Use FOFA query icon_hash="-282504889" to identify exposed LyLme-Spage instances for proactive scanning.
- →The uploaded malicious file uses a .php extension with Content-Type: image/png to bypass MIME-type checks — monitor for multipart uploads where filename extension is .php but Content-Type claims an image type.
- ·Vulnerability is confirmed only against lylme_spage version 1.9.5; later versions may be patched.
- ·The Nuclei template is marked 'intrusive' — running it against a target will actually upload a PHP file, which may cause unintended persistence or impact on the target system.
- ·The template requires two sequential HTTP requests (flow: http(1) && http(2)): the first uploads the file and extracts the path, the second verifies execution — detection logic must account for both steps.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
LyLme-Spage - Arbitary File Upload
nuclei·CVSS 9.8
CVE-2024-34982 [CRITICAL] LyLme-Spage - Arbitary File Upload
LyLme-Spage - Arbitary File Upload
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
Template:
id: CVE-2024-34982
info:
name: LyLme-Spage - Arbitary File Upload
author: DhiyaneshDk
severity: high
description: |
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.
impact: |
Attackers can upload arbitrary files to execute malicious code on the LyLme-Spage server.
remediation: |
Update LyLme Spage to a version later than 1.9.5 that patches the arbitrary file upload vulnerability.
reference:
- https://github.com/n2ryx/CVE/blob/main/Lylme_pagev1.9.5.md
- https
2024-05-17
Published