Cybersecurity specialists report the detection of two critical vulnerabilities in phpUploader whose exploitation could result in the deployment of dangerous hacking scenarios.

Below are brief descriptions of the reported flaws, as well as their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-24435: Infected debugging of user-provided data would allow remote threat actors to inject and execute arbitrary HTML code and scripts in the context of a vulnerable website.

The vulnerability received a CVSS score of 5.3/10 and its successful exploitation would allow malicious hackers to extract information from websites, modify their appearance and deploy phishing attacks.

CVE-2022-23986: Insufficient disinfection of user-provided data would allow remote threat actors to send specially crafted requests to the affected application and execute arbitrary SQL commands on the application database.

This vulnerability received a CVSS score of 7.9/10 and its successful exploitation would allow the compromised databases to be read, modified, and deleted.

According to the report, the flaws reside in phpUploader versions between 0.1 – 1.2.

While vulnerabilities can be exploited by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.