A vulnerability classified as critical was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This vulnerability affects the function
pictureUpload
of the file /admin/File/pictureUpload. The manipulation of the argument file leads to unrestricted upload.
This vulnerability was named CVE-2024-9904. The attack can be initiated remotely. Furthermore, there is an exploit available.
The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address.