Main Vulnerability Database Vulnerabilities #VU36279

Arbitrary file upload in Bludit - CVE-2018-1000811

Published: December 20, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36279

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-1000811

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Bludit

Affected software:
Bludit

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code.

How to mitigate CVE-2018-1000811

Install update from vendor's website.

Sources

https://github.com/bludit/bludit/issues/812
https://www.exploit-db.com/exploits/46060/

Arbitrary file upload in Bludit - CVE-2018-1000811

Detailed vulnerability description

How to mitigate CVE-2018-1000811

Sources

Please verify you're human