PT-2018-10542 · Jigowatt · Jigowatt Php Login & User Management

Reginald Dodd

Published

2018-05-29

Updated

2018-12-11

CVE-2018-11392

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jigowatt PHP Login & User Management versions prior to 4.1.1

Description The issue allows any remote authenticated user to upload .php files to the web server via a profile avatar field in the /classes/profile.class.php file. This results in arbitrary code execution by requesting the .php file.

Recommendations For versions prior to 4.1.1, update to version 4.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the profile avatar field or disabling the profile.class.php file until a patch is available. Avoid using the profile avatar field in the affected API endpoint until the issue is resolved.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2018-11392

Affected Products

Jigowatt Php Login & User Management

PT-2018-10542 · Jigowatt · Jigowatt Php Login & User Management

CVE-2018-11392

Weakness Enumeration

Related Identifiers

Affected Products

References · 6