CVE-2018-19463

Name of the Vulnerable Software and Affected Versions Z-BlogPHP versions prior to 1.5.1

Description The issue allows remote attackers to execute arbitrary PHP code by uploading an image with the image/jpeg content type to the "zb system/admin/index.php?act=UploadMng" API endpoint. This requires authentication. The vendor disputes the vulnerability, stating that their current version does not allow dynamic including and thus cannot execute PHP code by uploading an image.

Recommendations For Z-BlogPHP versions prior to 1.5.1, consider restricting access to the upload functionality in the zb system/admin/index.php?act=UploadMng API endpoint to minimize the risk of exploitation. Additionally, restrict the use of the image/jpeg content type in uploads until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.