PT-2017-16555 · Genix · Genixcms
Published
2017-01-17
·
Updated
2019-10-03
·
CVE-2017-5520
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GeniXCMS versions 0.0.0 through 0.0.8
Description
The issue concerns the media rename feature, which fails to account for alternative PHP file extensions when checking uploaded files for PHP content. This allows users to rename and execute files with the
.php6, .php7, and .phtml extensions.Recommendations
For GeniXCMS versions 0.0.0 through 0.0.8, consider restricting the upload and execution of files with alternative PHP extensions, such as
.php6, .php7, and .phtml, until a proper fix is implemented. As a temporary workaround, disabling the media rename feature can help minimize the risk of exploitation.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Genixcms