Arbitrary file upload in HongCMS

#VU13543 Arbitrary file upload in HongCMS

Published: 2018-07-02 | Updated: 2019-10-21

Vulnerability identifier: #VU13543

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-13021

CWE-ID: CWE-434

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HongCMS
Web applications / CMS

Vendor: HongCMS

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application allows unrestricted upload of dangerous files in "admin/index.php/template/upload" URI. A remote authenticated user can upload a malicious PHP script on the server and execute it.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

HongCMS: 3.0.0

CPE

cpe:2.3:a:hongcms:hongcms:3.0.0:*:*:*:*:*:*:*

External links
http://github.com/Neeke/HongCMS/issues/5

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in HongCMS