Homepage
About Snyk

Arbitrary File Upload Affecting slub/slub-events package, versions <3.0.3

0.0
low

Snyk CVSS

    Attack Complexity Low
    Privileges Required High

    Threat Intelligence

    EPSS 1.37% (87th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SLUBSLUBEVENTS-473705
  • published 16 Oct 2019
  • disclosed 16 Oct 2019
  • credit Torben Hansen
Report a new vulnerability Found a mistake?

Introduced: 16 Oct 2019

CVE-2019-16700 Open this link in a new tab
CWE-434 Open this link in a new tab

How to fix?

Upgrade slub/slub-events to version 3.0.3 or higher.

Overview

slub/slub-events is a TYPO3 extension for event registration and experts booking.

Affected versions of this package are vulnerable to Arbitrary File Upload. The slub_events (aka SLUB: Event Registration) extension used as part of TYPO3 allows uploading of arbitrary files to the webserver, resulting in the malicious upload and execution of malicious files on the server.

It should be noted that for releases 1.2.2 and below, this can result in Remote Code Execution. In versions later than 1.2.2, this can result in Denial of Service, since the web space can be filled up with arbitrary files.