CVE-2018-18874

Name of the Vulnerable Software and Affected Versions nc-cms versions prior to 2017-03-10

Description The issue allows remote attackers to execute arbitrary PHP code via the "Upload File or Image" feature. This can be achieved by uploading a file with a .php filename and setting the Content-Type to application/octet-stream in the request to the "index.php?action=file manager upload" API endpoint.

Recommendations For versions prior to 2017-03-10, as a temporary workaround, consider disabling the file upload feature in the file manager upload action until a patch is available. Restrict access to the index.php?action=file manager upload endpoint to minimize the risk of exploitation. Avoid using the Content-Type: application/octet-stream header in requests to this endpoint until the issue is resolved.