PT-2020-10412 · Logaritmo · Logaritmo Aware Callmanager

Published

2020-01-21

Updated

2020-01-29

CVE-2019-20385

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Logaritmo Aware CallManager 2012

Description The issue concerns the CSV upload feature in the /supervisor/procesa carga.php file, which allows the upload of .php files with a text/* content type. The uploaded PHP code can then be executed by visiting a /supervisor/csv/ URI.

Recommendations For Logaritmo Aware CallManager 2012, restrict access to the /supervisor/procesa carga.php file to prevent unauthorized uploads, and avoid using the CSV upload feature until a fix is available. Consider temporarily disabling the execution of PHP code in the /supervisor/csv/ directory as a mitigation measure.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-20385

Affected Products

Logaritmo Aware Callmanager

PT-2020-10412 · Logaritmo · Logaritmo Aware Callmanager

CVE-2019-20385

Weakness Enumeration

Related Identifiers

Affected Products

References · 4