PT-2018-16209 · Pixel & Tonic · Craft Cms

Publicado

2018-01-01

Atualizado

2022-05-13

CVE-2018-3814

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Craft CMS version 2.6.3000

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by using the "Assets->Upload files" screen and then the "Replace it" option, which enables a .jpg file to have embedded PHP code, and then be renamed to a .php extension.

Recommendations For Craft CMS version 2.6.3000, consider restricting access to the "Assets->Upload files" screen and the "Replace it" option to minimize the risk of exploitation. As a temporary workaround, consider disabling the ability to upload files with embedded PHP code until a patch is available.

Exploit

Correção

RCE

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2018-3814

GHSA-R342-VJC4-WRMJ

Produtos afetados

Craft Cms

PT-2018-16209 · Pixel & Tonic · Craft Cms

CVE-2018-3814

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6