PT-2019-19033 · Jtbc · Jtbc

Published

2019-02-18

Updated

2019-02-20

CVE-2019-8433

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions JTBC(PHP) version 3.0.1.8

Description The issue allows for Arbitrary File Upload. This can be achieved via the "/console/#/console/file/manage.php?type=list" API endpoint. An example of exploitation includes uploading a .php file.

Recommendations For version 3.0.1.8, consider restricting access to the "/console/#/console/file/manage.php?type=list" API endpoint to prevent arbitrary file uploads until a fix is available. Additionally, as a temporary workaround, consider implementing validation and sanitization of uploaded files to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-8433

Affected Products

Jtbc

PT-2019-19033 · Jtbc · Jtbc

CVE-2019-8433

Weakness Enumeration

Related Identifiers

Affected Products

References · 3