CVE-2023-53924

Name of the Vulnerable Software and Affected Versions UliCMS version 2023.1-sniffing-vicuna

Description The software contains a remote code execution issue that allows authenticated attackers to upload PHP files with a .phar extension during profile avatar uploads. Attackers can execute code by accessing the uploaded file, which enables system command execution through malicious avatar uploads.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the file types allowed for avatar uploads to prevent the upload of .phar files.