CVE-2018-19514

Name of the Vulnerable Software and Affected Versions Webgalamb versions prior to 7.0

Description The issue allows for arbitrary code execution, which can be exploited remotely without initial authentication. To exploit this, an attacker must bypass authentication to access administrative site functions, then upload a crafted CSV file containing a malicious payload. This payload becomes part of a PHP eval() expression in the subscriber.php file.

Recommendations For Webgalamb versions prior to 7.0, consider restricting access to administrative functions and validating all uploaded files to prevent malicious payloads until a fix is available. As a temporary workaround, consider disabling the upload of CSV files in the subscriber.php file to minimize the risk of exploitation.