PT-2017-13224 · Blackcat · Blackcat Cms
Published
2017-08-31
·
Updated
2017-09-01
·
CVE-2017-14050
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
BlackCat CMS version 1.2
Description
The issue allows remote authenticated users to execute arbitrary PHP code via a ZIP archive that contains a .php file. This is possible through the backend/addons/install.php endpoint.
Recommendations
For BlackCat CMS version 1.2, consider restricting access to the
install.php file in the backend/addons directory to prevent exploitation until a patch is available. Avoid using the install.php file to install addons from untrusted sources.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blackcat Cms