PT-2019-14441 · Cksource · Ckfinder+4
Joshua Provoste
·
Published
2019-09-26
·
Updated
2019-10-02
·
CVE-2019-15862
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
CKFinder versions prior to 2.6.2.1
CKFinder for ASP versions prior to 2.6.2.1
CKFinder for ASP.NET versions prior to 2.6.2.1
CKFinder for ColdFusion versions prior to 2.6.2.1
CKFinder for PHP versions prior to 2.6.2.1
Description
An issue was discovered that allows remote attackers to upload files without any extension, even if the application was configured to accept files only with a defined set of extensions, due to improper checks of file names.
Recommendations
For CKFinder versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.
For CKFinder for ASP versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.
For CKFinder for ASP.NET versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.
For CKFinder for ColdFusion versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.
For CKFinder for PHP versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ckfinder
Ckfinder For Asp
Ckfinder For Asp.Net
Ckfinder For Coldfusion
Ckfinder For Php