Do your applications use this vulnerable package?
Test your applications
Overview
pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).
Affected versions of this package are vulnerable to Arbitrary File Upload. It is possible to for a user to upload a .php
file when creating a permission on the assets
feature, resulting in arbitrary code execution. This is achieved by bypassing the .txt
extension automatically added by the framework by uploading a file with 256 characters name, automatically removing the .txt extension.
Remediation
Upgrade pimcore/pimcore
to version 5.7.1 or higher.
References
CVSS Score
7.6
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityLow
-
AvailabilityLow
- Credit
- Daniele Scanu
- CVE
- CVE-2019-16318
- CWE
- CWE-434
- Snyk ID
- SNYK-PHP-PIMCOREPIMCORE-451598
- Disclosed
- 19 Mar, 2019
- Published
- 15 Jul, 2019