PT-2019-15194 · Gila · Gila Cms

Rastating

Published

2019-10-13

Updated

2019-10-17

CVE-2019-17536

CVSS v3.1

9.9

Critical

Vector

AC:L/AV:N/A:L/C:H/I:H/PR:L/S:C/UI:N

Name of the Vulnerable Software and Affected Versions Gila CMS versions prior to 1.11.5

Description The issue allows an attacker to upload a file with a dangerous type via the moveAction function in core/controllers/fm.php. This can be achieved by using the admin/media upload and fm/move endpoints.

Recommendations For versions prior to 1.11.5, update to version 1.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the moveAction function in core/controllers/fm.php to minimize the risk of exploitation. Avoid using the admin/media upload and fm/move endpoints until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-17536

Affected Products

Gila Cms

PT-2019-15194 · Gila · Gila Cms

CVE-2019-17536

Weakness Enumeration

Related Identifiers

Affected Products

References · 4