Unauthenticated RCE in QloApps #1599
Description
Hi team,
I am writing to responsibly disclose a critical security vulnerability that I identified in QloApps versions 1.7.0 and earlier during security research.
The vulnerability exists in the hotel review file upload functionality and allows an unauthenticated remote attacker to upload and execute arbitrary files on the server, resulting in remote code execution (RCE) and complete system compromise.
If you require additional information or a proof of concept to verify this issue, I would be happy to provide it securely.
Note: I already reported this issue to [support@qloapps.com] two week ago but have not yet got a reply.
If you need additional information, you can email to me via: neakkpornlur@gmail.com
Thanks