CVE-2015-6568

Name of the Vulnerable Software and Affected Versions Wolf CMS versions prior to 0.8.3.1

Description The issue allows for unrestricted file rename and PHP code execution. This is because the file manager, located at the admin/plugin/file manager/browse/ endpoint, does not prevent a file extension from being changed to .php after initially uploading a JPEG image using the filename parameter. Exploitation of this issue requires a registered user with access to the upload functionality.

Recommendations For versions prior to 0.8.3.1, update to version 0.8.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the file manager endpoint admin/plugin/file manager/browse/ to minimize the risk of exploitation. Additionally, restrict the use of the filename parameter in the upload functionality until the issue is resolved.