Main Vulnerability Database Vulnerabilities #VU22579

Arbitrary file upload in CKFinder - CVE-2019-15862

Published: November 7, 2019

Vulnerability identifier: #VU22579

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-15862

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: CKSource

Affected software:
CKFinder

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of the file extension when processing file uploads. A remote attacker can upload files that do not have an extension, even if CKFinder is configured to allow certain file extensions only.

The vulnerability affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.

How to mitigate CVE-2019-15862

Install updates from vendor's website.

Sources

https://ckeditor.com/blog/CKFinder-3.5.1-and-CKFinder-2.6.3-released/

Arbitrary file upload in CKFinder - CVE-2019-15862

Detailed vulnerability description

How to mitigate CVE-2019-15862

Sources

Please verify you're human