CVE-2017-13670

Name of the Vulnerable Software and Affected Versions BlackCat CMS version 1.2

Description The issue allows remote authenticated users to upload any file, including malicious ones, via the media upload function. This is demonstrated by uploading a ZIP archive containing a .php file through the backend/media/ajax upload.php endpoint.

Recommendations For BlackCat CMS version 1.2, consider restricting access to the backend/media/ajax upload.php endpoint to prevent unauthorized file uploads until a fix is available. As a temporary workaround, restrict the types of files that can be uploaded through this endpoint to minimize the risk of exploitation.