Arbitrary File Upload Affecting slub/slub-events package, versions <3.0.3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SLUBSLUBEVENTS-473705
- published 16 Oct 2019
- disclosed 16 Oct 2019
- credit Torben Hansen
Introduced: 16 Oct 2019
CVE-2019-16700 Open this link in a new tabHow to fix?
Upgrade slub/slub-events
to version 3.0.3 or higher.
Overview
slub/slub-events is a TYPO3 extension for event registration and experts booking.
Affected versions of this package are vulnerable to Arbitrary File Upload. The slub_events (aka SLUB: Event Registration) extension used as part of TYPO3 allows uploading of arbitrary files to the webserver, resulting in the malicious upload and execution of malicious files on the server.
It should be noted that for releases 1.2.2 and below, this can result in Remote Code Execution. In versions later than 1.2.2, this can result in Denial of Service, since the web space can be filled up with arbitrary files.