CVE-2019-17536

CRITICAL

9.9

CVSS 3.0

Description

Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.

Metadata

CVE ID: CVE-2019-17536
State: PUBLISHED
Assigner: mitre
Reserved: 2019-10-13 00:00 UTC
Published: 2019-10-13 17:52 UTC
Last updated: 2024-08-05 01:40 UTC
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.0

CVSS:3.0/AC:L/AV:N/A:L/C:H/I:H/PR:L/S:C/UI:N

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.0	cna	CVSS:3.0/AC:L/AV:N/A:L/C:H/I:H/PR:L/S:C/UI:N

References (2)

https://rastating.github.io/gila-cms-upload-filter-bypass-and-rce/
https://github.com/GilaCMS/gila/pull/49

Back to overview