Xcms
Monthly
Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.
Unrestricted file upload in jackq XCMS allows high-privilege authenticated users to upload arbitrary files via the ProductImageController component, with publicly available exploit code disclosed. Despite a CVSS score of 2.0 reflecting the high authentication requirement (PR:H), the vulnerability enables authenticated administrators to bypass intended upload restrictions and potentially achieve remote code execution by uploading malicious files. The vendor has been informed via public issue report but has not yet responded with a fix.