PT-2018-15038 · Tp5Cms · Tp5Cms
Langyayue
·
Publicado
2018-11-29
·
Atualizado
2018-12-27
·
CVE-2018-19692
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
tp5cms versions prior to 2017-05-25
Description
An issue allows remote attackers to execute arbitrary PHP code by uploading a .php file with the
content type set to image/jpeg to the "admin.php/upload/picture.html" endpoint.Recommendations
For versions prior to 2017-05-25, consider restricting access to the "admin.php/upload/picture.html" endpoint to prevent uploading of malicious files until a fix is available. Additionally, validate the file type and content of uploaded files to prevent execution of arbitrary PHP code.
Exploit
Correção
Unrestricted File Upload
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Tp5Cms