Arbitrary Code Execution Vulnerability in Sitemagic CMS by Sitemagic
CVE-2019-9042

7.2HIGH

Key Information:

Vendor: Sitemagic
Status: Sitemagic Cms
Vendor: CVE Published:; 23 February 2019

What is CVE-2019-9042?

An issue in Sitemagic CMS v4.4 allows for potential arbitrary code execution via the index.php?SMExt=SMFiles URI, where users can upload .php files if the FileExtensionFilter is not configured by the administrator. This exploit is particularly risky when there are untrusted user accounts present, enabling unauthorized code execution. Although the maintainer suggests that this behavior is intended as a feature when used with External Modules, it still poses significant security implications.

References

http://www.iwantacve.cn/index.php/archives/116/

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2019
Vulnerability Reserved
Feb 23, 2019

JSON