CVE-2021-28428

Name of the Vulnerable Software and Affected Versions HorizontCMS versions prior to 1.0.0-beta.3

Description The issue allows for remote code execution by uploading specific files, such as .htaccess and *.hello files, through the Media Files upload functionality. This bypasses the filter that was put in place to restrict PHP extensions, thus allowing the execution of PHP code.

Recommendations For versions prior to 1.0.0-beta.3, update to version 1.0.0-beta.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Media Files upload functionality to minimize the risk of exploitation.