CVE-2020-14067

Name of the Vulnerable Software and Affected Versions Navigate CMS version 2.9

Description The issue concerns the install from hash functionality, which does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code. This is specifically found in the check upload function within lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php.

Recommendations For Navigate CMS version 2.9, consider disabling the install from hash functionality or restricting the upload of ZIP archives until a patch is available. Additionally, restrict access to the check upload function in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php to minimize the risk of exploitation.