TypiCMS 9.0.28 - A remote code execution when upload Logo in Settings

[noobpk]

Description: The upload logo for the application has not been checked for the validity of the image. Through that, the attacker can upload malicious files to the server and execute code to gain access to the web application server.
Version test: 9.0.28

Image Request/Response Upload Logo:

Image path file logo:

Image execute file

Video Poc: https://youtu.be/i4e2DelBkls

[sdebacker]

Hello, thank you for spotting. It's fixed in 9.0.29.