Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by Yue Lao
CVE-2025-2671 (GCVE-0-2025-2671)
Vulnerability from nvd – Published: 2025-03-23 22:00 – Updated: 2025-03-24 15:59
VLAI
Title
Yue Lao Blind Box 月老盲盒 Upload.php base64image unrestricted upload
Summary
A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.300688 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.300688 | signaturepermissions-required |
| https://vuldb.com/?submit.521169 | third-party-advisory |
| https://www.jianshu.com/p/f8ca5e3cd889 | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yue Lao | Blind Box 月老盲盒 |
Affected:
4.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2671",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T15:59:08.565976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:59:22.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Blind Box \u6708\u8001\u76f2\u76d2",
"vendor": "Yue Lao",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "leizi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 bis 4.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion base64image der Datei /app/controller/Upload.php. Durch die Manipulation des Arguments data mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-23T22:00:09.708Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-300688 | Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 Upload.php base64image unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.300688"
},
{
"name": "VDB-300688 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.300688"
},
{
"name": "Submit #521169 | Vulnerabilities in the dating platform. windows 4.0 File upload vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.521169"
},
{
"tags": [
"exploit"
],
"url": "https://www.jianshu.com/p/f8ca5e3cd889"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-22T14:50:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 Upload.php base64image unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2671",
"datePublished": "2025-03-23T22:00:09.708Z",
"dateReserved": "2025-03-22T13:44:02.496Z",
"dateUpdated": "2025-03-24T15:59:22.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2671 (GCVE-0-2025-2671)
Vulnerability from cvelistv5 – Published: 2025-03-23 22:00 – Updated: 2025-03-24 15:59
VLAI
Title
Yue Lao Blind Box 月老盲盒 Upload.php base64image unrestricted upload
Summary
A vulnerability was found in Yue Lao Blind Box 月老盲盒 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
6.3 (Medium)
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.300688 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.300688 | signaturepermissions-required |
| https://vuldb.com/?submit.521169 | third-party-advisory |
| https://www.jianshu.com/p/f8ca5e3cd889 | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Yue Lao | Blind Box 月老盲盒 |
Affected:
4.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2671",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T15:59:08.565976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T15:59:22.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Blind Box \u6708\u8001\u76f2\u76d2",
"vendor": "Yue Lao",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "leizi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 up to 4.0. It has been declared as critical. This vulnerability affects the function base64image of the file /app/controller/Upload.php. The manipulation of the argument data leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 bis 4.0 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion base64image der Datei /app/controller/Upload.php. Durch die Manipulation des Arguments data mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-23T22:00:09.708Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-300688 | Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 Upload.php base64image unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.300688"
},
{
"name": "VDB-300688 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.300688"
},
{
"name": "Submit #521169 | Vulnerabilities in the dating platform. windows 4.0 File upload vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.521169"
},
{
"tags": [
"exploit"
],
"url": "https://www.jianshu.com/p/f8ca5e3cd889"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-22T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-22T14:50:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Yue Lao Blind Box \u6708\u8001\u76f2\u76d2 Upload.php base64image unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-2671",
"datePublished": "2025-03-23T22:00:09.708Z",
"dateReserved": "2025-03-22T13:44:02.496Z",
"dateUpdated": "2025-03-24T15:59:22.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}