PT-2018-9563 · Lh · Lh-Ehr
C-Stoop
·
Published
2018-12-20
·
Updated
2019-02-01
·
CVE-2018-1000839
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LH-EHR version REL-2 0 0
Description
The issue concerns an Arbitrary File Upload vulnerability in the Profile picture upload feature, which can lead to Remote Code Execution. This can be exploited by uploading a PHP file with an image MIME type.
Recommendations
For LH-EHR version REL-2 0 0, consider disabling the Profile picture upload feature until a patch is available to prevent exploitation. Restrict access to the upload functionality to minimize the risk of Remote Code Execution. Avoid using the Profile picture upload feature with unvalidated user input until the issue is resolved.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lh-Ehr