An arbitrary file upload vulnerability in DreamMaker allows unauthenticated attackers to execute arbitrary code via web shells.

The application fails to properly validate file uploads, allowing unauthenticated remote attackers to upload malicious files, such as web shells. These files can then be executed on the server, resulting in Remote Code Execution (RCE).

The CVSS score of 9.8 confirms the critical severity of this flaw. Unauthenticated access significantly lowers the bar for exploitation, making this a prime target for attackers looking to gain an immediate foothold on the server to exfiltrate data or disrupt services.

Immediate Action: Check the vendor advisory for patch availability and apply the update immediately.

Proactive Monitoring: Monitor the web server for the presence of unexpected files in upload directories and review logs for suspicious requests pointing to new, unknown files.

Compensating Controls: Use a Web Application Firewall (WAF) to inspect and block suspicious file upload attempts and restrict execution permissions in upload directories.

Public Exploit Available: True

The presence of a public exploit makes this a high-priority risk. Organizations using DreamMaker should assume that an exploit attempt is likely and must apply the vendor-provided security patches or mitigations immediately.