CVE-2020-10557

Name of the Vulnerable Software and Affected Versions AContent versions 1.4 and earlier

Description The issue allows a user to run commands on the server with a low-privileged account. It is caused by an arbitrary file upload vulnerability in the upload section of the file manager page via upload.php. The vulnerability can be exploited by uploading files with the .php7 extension, which bypasses file upload restrictions.

Recommendations For AContent versions 1.4 and earlier, as a temporary workaround, consider disabling the upload functionality in the file manager page until a patch is available. Restrict access to the upload.php file to minimize the risk of exploitation. Avoid using the file manager page for uploading files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.