Wallos <=2.38.2 has a file upload vulnerability in the restore database function, which allows unauthenticated users to restore database by uploading a ZIP file. The contents of the ZIP file are extracted on the server. This functionality enables an unauthenticated attacker to upload malicious files to the server. Once a web shell is installed, the attacker gains the ability to execute arbitrary commands.
References
Link | Resource |
---|---|
https://www.datafarm.co.th/blog/CVE-2024-55371-and-CVE-2024-55372-Malicious-File-Upload-to-RCE-in-Wallos-Application | Exploit Third Party Advisory |
Configurations
History
03 Jun 2025, 14:59
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.datafarm.co.th/blog/CVE-2024-55371-and-CVE-2024-55372-Malicious-File-Upload-to-RCE-in-Wallos-Application - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:* | |
Summary |
|
|
First Time |
Wallosapp
Wallosapp wallos |
17 Apr 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-73 |
16 Apr 2025, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-04-16 21:15
Updated : 2025-06-03 14:59
NVD link : CVE-2024-55372
Mitre link : CVE-2024-55372
CVE.ORG link : CVE-2024-55372
JSON object : View
Products Affected
wallosapp
- wallos
CWE
CWE-73
External Control of File Name or Path