CVE-2018-19196

Name of the Vulnerable Software and Affected Versions XiaoCms version 20141229

Description An issue allows remote attackers to execute arbitrary code by bypassing restrictions on uploaded file types, such as jpg, jpeg, bmp, png, and gif, using the type parameter. This can be demonstrated by accessing the "admin/index.php?c=uploadfile&a=uploadify upload&type=php" API endpoint.

Recommendations For XiaoCms version 20141229, as a temporary workaround, consider restricting access to the upload functionality or validating the type parameter to prevent bypassing the upload file type restrictions.