CVE-2020-35709

Name of the Vulnerable Software and Affected Versions bloofoxCMS version 0.5.2.1

Description The issue allows admins to upload arbitrary .php files to ../media/images/ via the "admin/index.php?mode=tools&page=upload" URI, which is a directory traversal issue. This is achieved by using a "Content-Type: application/octet-stream" header.

Recommendations For bloofoxCMS version 0.5.2.1, consider restricting access to the admin/index.php?mode=tools&page=upload URI to prevent arbitrary file uploads until a patch is available. As a temporary workaround, consider disabling the upload functionality in the admin panel to minimize the risk of exploitation.