Description
Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.
Remediation
References
Related Vulnerabilities
WordPress Plugin Stream Cross-Site Scripting (3.0.5)
WordPress Plugin Podlove Podcast Publisher SQL Injection (2.5.3)
OpenSSL Cryptographic Issues Vulnerability (CVE-2009-3555)
WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-36326)
EspoCRM Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability (CVE-2026-33659)