CVE-2018-11091

Name of the Vulnerable Software and Affected Versions MyBiz MyProcureNet version 5.0.0

Description An issue allows a malicious file to be uploaded to the webserver, enabling an attacker to upload a script and issue operating system commands. This occurs because the HiddenFieldControlCustomWhiteListedExtensions parameter can be adjusted by an attacker to add arbitrary extensions to the whitelist during upload, allowing malicious files to be uploaded and executed to take over the server.

Recommendations For MyBiz MyProcureNet version 5.0.0, restrict access to the file upload feature and remove any custom extensions from the HiddenFieldControlCustomWhiteListedExtensions parameter to prevent malicious file uploads. Additionally, consider disabling the file upload feature until a fix is available to prevent exploitation.