Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-9855— 07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload

CVSS 4.7 · Medium EPSS 0.10% · P27
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-9855

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
07FLYCMS/07FLY-CMS/07FlyCRM Module Plug-In sysmodule_1 uploadFile unrestricted upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadFile of the file /admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1 of the component Module Plug-In Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
07FLY CRM 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
07FLY CRM是中国零起飞(07FLY)公司的一个 OA 办公系统。 07FLY CRM 1.3.8版本存在安全漏洞,该漏洞源于文件/admin/SysModule/upload/ajaxmodel/upload/uploadfilepath/sysmodule_1的参数file会导致不受限制的上传。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-07FLYCMS 1.3.8 -
-07FLY-CMS 1.3.8 -
-07FlyCRM 1.3.8 -

II. Public POCs for CVE-2024-9855

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-9855

登录查看更多情报信息。

Same Patch Batch · n/a · 2024-10-11 · 41 CVEs total

CVE-2024-215349.8 CRITICALJSONPath Plus 安全漏洞
CVE-2024-355178.4 HIGHNETGEAR XR1000 安全漏洞
CVE-2024-355228.4 HIGHNETGEAR EX3700 安全漏洞
CVE-2024-98562.4 LOW07FLYCMS/07FLY-CMS/07FlyCRM System Settings Page cross site scripting
CVE-2024-48788Messe Frankfurt com.yescam.YesCam.zwave 安全漏洞
CVE-2024-42018Atos Eviden SMC xScale 安全漏洞
CVE-2024-48778Giant Bicycles RideLink 安全漏洞
CVE-2024-48937Znuny 安全漏洞
CVE-2024-48776Shelly com.home.shelly 安全漏洞
CVE-2024-48787Revic Optics Revic Ops 安全漏洞
CVE-2024-48769BURG-WCHTER KG de.burgwachter.keyapp.app 安全漏洞
CVE-2024-48771Almando Play 安全漏洞
CVE-2024-48775Plug n Play Camera com.ezset.delaney 安全漏洞
CVE-2024-48774Fermax com.fermax.vida 安全漏洞
CVE-2024-48786SwitchBot 安全漏洞
CVE-2024-48784SAMPMAX com.sampmax.homemax 安全漏洞
CVE-2024-48938Znuny 安全漏洞
CVE-2024-48772C-CHIP 安全漏洞
CVE-2024-48773Wo-smart WoFit 安全漏洞
CVE-2024-46468Jpress 安全漏洞

Showing top 20 of 41 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: 07FLYCMS
Same vendor: n/a
Same weakness: CWE-434

V. Comments for CVE-2024-9855

No comments yet

Leave a comment