Main Vulnerability Database Vulnerabilities #VU21108

#VU21108 Input validation error in Pimcore - CVE-2019-16318

Published: September 15, 2019

Vulnerability identifier: #VU21108

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-16318

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pimcore

Software vendor:
Pimcore

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of long files names. A remote authenticated attacker can supply a .php file with name that contains 256 characters, bypass the implemented security mechanisms that was supposed to change the uploaded file extension into .php.txt file, and execute arbitrary PHP code on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/pimcore/pimcore/commit/732f1647cc6e0a29b5b1f5d904b4d726b5e9455f