Dangerous file upload in PopojiCMS - CVE-2018-18934
Published: March 4, 2019
Vulnerability identifier: #VU17894
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2018-18934
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PopojiCMS
Affected software:
PopojiCMS
PopojiCMS
Detailed vulnerability description
The vulnerability allows a remote attacker to upload dangerous files to the system.
The vulnerability exists due to insufficient validation of the uploaded files passed via the "fupload" parameter to "po-admin/route.php?mod=component&act=addnew" URI. A remote authenticated administrator can upload a .zip archive with .php file inside and execute it with privileges of the web server.
Note, this vulnerability can be exploited via CSRF attack.
How to mitigate CVE-2018-18934
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.