Input validation error in Pimcore - CVE-2019-16318
Published: September 15, 2019
Vulnerability identifier: #VU21108
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-16318
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pimcore
Affected software:
Pimcore
Pimcore
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of long files names. A remote authenticated attacker can supply a .php file with name that contains 256 characters, bypass the implemented security mechanisms that was supposed to change the uploaded file extension into .php.txt file, and execute arbitrary PHP code on the system.
How to mitigate CVE-2019-16318
Install updates from vendor's website.