Remote Code Execution Vulnerability in Craft CMS by Pixel & Tonic
CVE-2018-3814

8.8HIGH

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 1 January 2018

What is CVE-2018-3814?

Craft CMS version 2.6.3000 contains a vulnerability that permits remote attackers to execute arbitrary PHP code. This is achieved through the 'Assets->Upload files' feature, where a malicious user can upload a .jpg file that contains embedded PHP code. By using the 'Replace it' option, they can rename this file to a .php extension, enabling the execution of the embedded code on the server. This vulnerability underscores the necessity of stringent file validation and secure handling of user-uploaded content to mitigate potential risks.

References

https://github.com/Snowty/myCVE/blob/master/CraftCMS-2.6....

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 1, 2018
Vulnerability Reserved
Jan 1, 2018

Craftcms

What is CVE-2018-3814?

References

CVSS V3.1

Timeline