CVE-2016-9493

Name of the Vulnerable Software and Affected Versions PHP FormMail Generator versions prior to 17 December 2016

Description The issue concerns stored cross-site scripting in the code generated by PHP FormMail Generator. The generated form.lib.php file checks upload file types against a hard-coded list of dangerous extensions, but this list does not include all variations of PHP files. This may allow execution of the contained PHP code if an attacker can guess the uploaded filename, as the form appends a short random string to the end of the filename by default.

Recommendations For versions prior to 17 December 2016, consider updating the form.lib.php file to include all variations of PHP files in the list of dangerous extensions to prevent potential execution of malicious PHP code. As a temporary workaround, restrict the upload of PHP files and consider disabling the file upload feature until a proper fix is applied.