CVE-2018-16388

Name of the Vulnerable Software and Affected Versions e107 version 2.1.8

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the content type set to 'image/jpeg'. This is possible due to a flaw in the 'e107 web/js/plupload/upload.php' file.

Recommendations For e107 version 2.1.8, consider restricting the upload of files with .php extensions to prevent arbitrary PHP code execution until a patch is available. As a temporary workaround, restrict access to the 'e107 web/js/plupload/upload.php' file to minimize the risk of exploitation.