CVE-2019-15862

Published: Sep 26, 2019Modified: Jun 17, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.

Affected (4)

Products: Cksource: Ckfinder

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cksource Ckfinder	Before 2.6.3
Cksource Ckfinder	Before 2.6.3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Cksource Ckfinder	Before 2.6.3
Cksource Ckfinder	Before 2.6.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://ckeditor.com/blog/CKFinder-3.5.1-and-CKFinder-2.6.3-released/

Source: cve@mitre.org

Third Party Advisory

https://ckeditor.com/blog/CKFinder-3.5.1-and-CKFinder-2.6.3-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.