We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-34046

Fanwei E-Office Unauthenticated File Upload



Description

An unauthenticated file upload vulnerability exists in the Fanwei E-Office <= v9.4 web management interface. The vulnerability affects the /general/index/UploadFile.php endpoint, which improperly validates uploaded files when invoked with certain parameters (uploadType=eoffice_logo or uploadType=theme). An attacker can exploit this flaw by sending a crafted HTTP POST request to upload arbitrary files without requiring authentication. Successful exploitation could enable remote code execution on the affected server, leading to complete compromise of the web application and potentially the underlying system.

Reserved 2025-04-15 | Published 2025-06-26 | Updated 2025-06-26 | Assigner VulnCheck


CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version
affected

References

www.cnvd.org.cn/flaw/show/CNVD-2021-49104 third-party-advisory

github.com/...ice-fileupload/blob/main/eoffice_fileupload.py exploit

vulncheck.com/advisories/fanwei-eoffice-file-upload third-party-advisory

github.com/.../blob/main/http/cnvd/2021/CNVD-2021-49104.yaml exploit

cve.org (CVE-2025-34046)

nvd.nist.gov (CVE-2025-34046)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-34046

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.