PT-2019-11472 · Phpthumb+1 · Phpthumb+1

Agel_Nash

Publicado

2019-07-23

Atualizado

2019-10-09

CVE-2019-1010123

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: MODX Revolution Gallery version 1.7.0

Description: The issue allows creating a file with custom filename and content. It involves filtering user parameters before passing them into the phpthumb class. The attack vector is a web request via the "/assets/components/gallery/connector.php" API endpoint.

Recommendations: For MODX Revolution Gallery version 1.7.0, consider restricting access to the /assets/components/gallery/connector.php API endpoint until a patch is available. As a temporary workaround, filtering user parameters more strictly before passing them into the phpthumb class may help minimize the risk of exploitation.

Exploit

Correção

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2019-1010123

Produtos afetados

Modx Revolution Gallery

Phpthumb

PT-2019-11472 · Phpthumb+1 · Phpthumb+1

CVE-2019-1010123

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5