CVE-2018-19135

Name of the Vulnerable Software and Affected Versions ClipperCMS version 1.3.3

Description The issue concerns the lack of CSRF protection on the kcfinder file upload feature, which is enabled by default. This allows an attacker to perform actions on behalf of an admin or any user with file upload capability, enabling automatic upload of various file types, including html, pdf, xml, and zip. These uploaded files can be accessed publicly under the "/assets/files" directory.

Recommendations For ClipperCMS version 1.3.3, consider disabling the kcfinder file upload feature until a patch is available to add CSRF protection. Restrict access to the "/assets/files" directory to minimize the risk of exploitation. Avoid using the file upload capability for sensitive files until the issue is resolved.