CVE-2019-12185

Name of the Vulnerable Software and Affected Versions eLabFTW version 1.8.5

Description The issue allows for arbitrary file uploads via the /app/controllers/EntityController.php component, potentially resulting in remote command execution. An attacker can use a user account to fully compromise the system by sending a POST request, enabling them to write PHP files to the web root and execute code on the remote server.

Recommendations For eLabFTW version 1.8.5, consider restricting access to the EntityController.php component as a temporary workaround until a patch is available. Avoid using the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.