CVE-2019-10874

Name of the Vulnerable Software and Affected Versions Bolt CMS version 3.6.6

Description The issue allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file through the bolt/upload File Upload feature. This is a result of a Cross Site Request Forgery (CSRF) vulnerability.

Recommendations For Bolt CMS version 3.6.6, as a temporary workaround, consider disabling the bolt/upload File Upload feature until a patch is available. Restrict access to the file/edit/config/config.yml configuration file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.