PT-2020-15200 · Niushop · Niushop B2B2C Multi-Business Basic Version V1.11

Published

2020-09-30

Updated

2020-10-09

CVE-2020-19672

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Niushop B2B2C Multi-business basic version V1.11

Description The issue allows an attacker to bypass administrator access and obtain the background upload interface. By manipulating the upload parameter, it is possible to bypass the getimagesize function, allowing the upload of a PHP file, which can lead to gaining shell access.

Recommendations For Niushop B2B2C Multi-business basic version V1.11, consider restricting access to the upload interface and validating the upload parameter to prevent bypassing the getimagesize function. As a temporary workaround, consider disabling the upload functionality until a patch is available.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2020-19672

Affected Products

Niushop B2B2C Multi-Business Basic Version V1.11

PT-2020-15200 · Niushop · Niushop B2B2C Multi-Business Basic Version V1.11

CVE-2020-19672

Weakness Enumeration

Related Identifiers

Affected Products

References · 3