PT-2018-14657 · Unknown · School Management System

Ihsan Sencan

Publicado

2018-11-16

Atualizado

2018-12-18

CVE-2018-18793

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions School Event Management System version 1.0

Description The issue allows for Arbitrary File Upload. This can be achieved via the "event/controller.php?action=photos" endpoint, specifically by exploiting the action parameter set to photos.

Recommendations For School Event Management System version 1.0, consider disabling the file upload functionality in the "event/controller.php" endpoint until a patch is available. Restrict access to the action=photos parameter to minimize the risk of exploitation.

Exploit

Correção

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2018-18793

Produtos afetados

School Management System

PT-2018-14657 · Unknown · School Management System

CVE-2018-18793

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4