CVE-2019-9042

Name of the Vulnerable Software and Affected Versions Sitemagic CMS version 4.4

Description An issue in the index.php?SMExt=SMFiles URI allows users to upload .php files, potentially executing arbitrary code, as shown with 404.php. This issue can only occur if the administrator fails to set the FileExtensionFilter and if there are untrusted user accounts. The maintainer considers this a feature for use with External Modules rather than a vulnerability.

Recommendations For Sitemagic CMS version 4.4, set the FileExtensionFilter to prevent untrusted users from uploading executable files. Ensure that only trusted users have access to the system to minimize the risk of exploitation. As a temporary workaround, consider restricting access to the index.php?SMExt=SMFiles URI until the issue is resolved.