Main Vulnerability Database SB2018122024

SB2018122024 - Arbitrary file upload in Bludit

Published: December 20, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018122024

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2018-1000811)

The vulnerability allows a remote authenticated user to execute arbitrary code.

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code.

Remediation

Install update from vendor's website.

References

https://github.com/bludit/bludit/issues/812
https://www.exploit-db.com/exploits/46060/