CVE-2019-9185

Name of the Vulnerable Software and Affected Versions Bolt versions prior to 3.6.5

Description The issue allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension. This is possible due to a flaw in the Controller/Async/FilesystemManager.php file in the filemanager.

Recommendations For versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue. As a temporary workaround, consider restricting file upload and rename capabilities to minimize the risk of exploitation. Avoid allowing users to upload files with .php extensions until the issue is resolved.