#VU19980 Input validation error in Backdrop CMS
Published: August 8, 2019
Vulnerability identifier: #VU19980
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Backdrop CMS
Backdrop CMS
Software vendor:
Backdrop CMS
Backdrop CMS
Description
The vulnerability allows a remote attacker to compromise vulnerable website.
The vulnerability exists due to insufficient validation of the uploaded files. A remote privileged attacker can upload and execute arbitrary PHP code on the server.
Successful exploitation of the vulnerability requires "Synchronize, import, and export configuration" permissions.
Remediation
Install updates from vendor's website.