PT-2019-7548 · Serendipity · Serendipity

Published

2019-05-24

Updated

2019-05-29

CVE-2016-10752

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Serendipity version 2.0.3

Description The issue allows remote attackers to upload and execute arbitrary PHP code due to mishandling of an extensionless filename during a rename. This can be demonstrated by using "php" as a filename.

Recommendations For Serendipity version 2.0.3, consider disabling the serendipity moveMediaDirectory function until a patch is available to prevent the upload and execution of arbitrary PHP code.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2016-10752

Affected Products

Serendipity

PT-2019-7548 · Serendipity · Serendipity

CVE-2016-10752

Weakness Enumeration

Related Identifiers

Affected Products

References · 5