CVE-2021-37770

Name of the Vulnerable Software and Affected Versions Nucleus CMS version 3.71

Description The issue allows an attacker to upload a malicious file by changing the upload path to a location without an Htaccess file. By uploading an Htaccess file with the content 'AddType application/x-httpd-php.jpg', an attacker can then upload a picture with a shell, which can be executed as PHP, enabling the attacker to execute commands and potentially take down website resources.

Recommendations For Nucleus CMS version 3.71, consider disabling the file upload feature until a patch is available to prevent exploitation. Restrict access to the upload functionality to minimize the risk of malicious file uploads. Avoid using the upload feature to upload files with potentially executable content, such as images with embedded shells, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.