Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2017-1000119 |
CWE-ID | CWE-434 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
October CMS Web applications / CMS |
Vendor | OctoberCMS |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU38142
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1000119
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
MitigationInstall update from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.412
External linkshttp://octobercms.com/support/article/rn-8
http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.