PT-2020-7950 · Kunena · Kunena
Published
2020-02-24
·
Updated
2020-03-03
·
CVE-2016-11020
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Kunena versions prior to 5.0.4
Description:
The issue allows for XSS and potentially remote code execution due to the lack of restriction on avatar file extensions, which should be limited to gif, jpeg, jpg, and png.
Recommendations:
For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue.
As a temporary workaround, consider restricting avatar file uploads to only gif, jpeg, jpg, and png extensions until a patch is applied.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kunena