CVE-2018-19798

Name of the Vulnerable Software and Affected Versions: Fleetco Fleet Maintenance Management (FMM) versions 1.2 and earlier

Description: The issue allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the "accidents add.php?submit=1" URI, as demonstrated by the value Images 1 field, which leads to remote command execution on the remote server. Any authenticated user can exploit this.

Recommendations: For versions 1.2 and earlier, consider disabling the file upload functionality in the accidents add.php endpoint until a patch is available. Restrict access to the accidents add.php?submit=1 URI to minimize the risk of exploitation. Avoid using the value Images 1 field in the affected endpoint until the issue is resolved.