CVE-2018-18934

Published: Nov 5, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.

Affected (1)

Products: Popojicms: Popojicms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Popojicms Popojicms	Version 2.0.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/PopojiCMS/PopojiCMS/issues/12

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/PopojiCMS/PopojiCMS/issues/13

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/PopojiCMS/PopojiCMS/issues/12

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/PopojiCMS/PopojiCMS/issues/13

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.