CVE-2019-9181

Published: Feb 26, 2019Modified: Jun 17, 2026

7.2

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

SchoolCMS version 2.3.1 allows file upload via the logo upload feature at admin.php?m=admin&c=site&a=save by using the .jpg extension, changing the Content-Type to image/php, and placing PHP code after the JPEG data. This ultimately allows execution of arbitrary PHP code.

Affected (1)

Products: Schoolcms: Schoolcms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Schoolcms Schoolcms	Version 2.3.1

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

http://www.iwantacve.cn/index.php/archives/125/

Source: cve@mitre.org

ExploitThird Party Advisory

http://www.iwantacve.cn/index.php/archives/125/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.