CVE-2020-14067

Published: Jun 15, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The install_from_hash functionality in Navigate CMS 2.9 does not consider the .phtml extension when examining files within a ZIP archive that may contain PHP code, in check_upload in lib/packages/extensions/extension.class.php and lib/packages/themes/theme.class.php.

Affected (1)

Products: Naviwebs: Navigatecms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Naviwebs Navigatecms	Version 2.9

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://github.com/NavigateCMS/Navigate-CMS/commit/f1f47126b359d73a2635306ae46d8719c14d240b

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/NavigateCMS/Navigate-CMS/commit/f1f47126b359d73a2635306ae46d8719c14d240b

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.