Remote Code Execution Vulnerability in SiteServer CMS 6.9.0
CVE-2019-11401

7.2HIGH

Key Information:

Vendor

Siteserver

Status
Siteserver Cms
Vendor
CVE Published:
22 April 2019

What is CVE-2019-11401?

A vulnerability in SiteServer CMS 6.9.0 allows remote attackers to execute arbitrary code. This occurs because an administrator can add the file extension .aassp, which is subsequently converted to .asp due to the deletion of the 'as' substring. This improper handling of file types enables the execution of malicious scripts, posing a serious risk to system integrity and data security.

References

https://github.com/siteserver/cms/issues/1858
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.