CVE-2019-16318

Опубликовано: 14 сент. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.

Ссылки

https://github.com/pimcore/pimcore/commit/732f1647cc6e0a29b5b1f5d904b4d726b5e9455f
Patch
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-451598
Third Party Advisory
https://github.com/pimcore/pimcore/commit/732f1647cc6e0a29b5b1f5d904b4d726b5e9455f
Patch
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-451598
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Версия до 5.7.1 (исключая)

EPSS

Процентиль: 1%

0.00008

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-cxj7-4jpj-2q38