CVE-2017-7402

Name of the Vulnerable Software and Affected Versions Pixie version 1.0.4

Description The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is achieved by sending a POST request to the "admin/index.php?s=publish&x=filemanager" endpoint with a filename that has a double extension, such as a .jpg.php file, and setting the Content-Type to image/jpeg.

Recommendations For Pixie version 1.0.4, consider restricting access to the admin/index.php file and validating file uploads to prevent execution of arbitrary PHP code. As a temporary workaround, restrict the filemanager functionality in the admin/index.php endpoint until a patch is available. Avoid using the x=filemanager parameter in the affected API endpoint until the issue is resolved.