cbcvebase.
CVE-2024-34982
published 2024-05-17

CVE-2024-34982: An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.67%
90.6th percentile
An arbitrary file upload vulnerability in the component /include/file.php of lylme_spage v1.9.5 allows attackers to execute arbitrary code via uploading a crafted file.

Affected

1 ranges
VendorProductVersion rangeFixed in
lylmelylme_spage

Detection & IOCsextracted from sources · hover to see the quote

path/include/file.php
othericon_hash="-282504889"
  • Detect POST requests to /include/file.php with multipart/form-data containing a .php filename in the Content-Disposition header — this is the exploit upload endpoint.
  • A successful upload response contains all four JSON keys: '"code":', '"msg":', '"url":', and 'php"}' — match all four to confirm exploitation.
  • After upload, the server returns a JSON body with a 'url' field matching the regex '"url":"([/a-z_0-9.]+)"' — extract this path and issue a GET to verify code execution.
  • Verify RCE by GETting the uploaded file path and confirming the response Content-Type is text/html (PHP executed), not an image type.
  • Use FOFA query icon_hash="-282504889" to identify exposed LyLme-Spage instances for proactive scanning.
  • The uploaded malicious file uses a .php extension with Content-Type: image/png to bypass MIME-type checks — monitor for multipart uploads where filename extension is .php but Content-Type claims an image type.
  • ·Vulnerability is confirmed only against lylme_spage version 1.9.5; later versions may be patched.
  • ·The Nuclei template is marked 'intrusive' — running it against a target will actually upload a PHP file, which may cause unintended persistence or impact on the target system.
  • ·The template requires two sequential HTTP requests (flow: http(1) && http(2)): the first uploads the file and extracts the path, the second verifies execution — detection logic must account for both steps.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.