CVE-2019-13464

Published: Jul 9, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.

Affected (1)

Products: Modsecurity: Owasp Modsecurity Core Rule Set

1 product

Owasp Modsecurity Core Rule Set

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Modsecurity Owasp Modsecurity Core Rule Set	Version 3.0.2

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1391

Source: cve@mitre.org

Third Party Advisory

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1391

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.