Main Vulnerability Database SB2019092615

SB2019092615 - Security restrictions bypass in CKFinder

Published: September 26, 2019 Updated: November 7, 2019

Security Bulletin ID SB2019092615

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2019-15862)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of the file extension when processing file uploads. A remote attacker can upload files that do not have an extension, even if CKFinder is configured to allow certain file extensions only.

The vulnerability affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.

Remediation

Install update from vendor's website.

References

https://ckeditor.com/blog/CKFinder-3.5.1-and-CKFinder-2.6.3-released/