Main Vulnerability Database Vulnerabilities #VU22579

#VU22579 Arbitrary file upload in CKFinder - CVE-2019-15862

Published: November 7, 2019

Vulnerability identifier: #VU22579

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-15862

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
CKFinder

Software vendor:
CKSource

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of the file extension when processing file uploads. A remote attacker can upload files that do not have an extension, even if CKFinder is configured to allow certain file extensions only.

The vulnerability affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.

Remediation

Install updates from vendor's website.

External links

https://ckeditor.com/blog/CKFinder-3.5.1-and-CKFinder-2.6.3-released/

#VU22579 Arbitrary file upload in CKFinder - CVE-2019-15862

Description

Remediation

External links

Please verify you're human