Description

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.

Remediation

References

CVE-2020-24986

Related Vulnerabilities

WordPress Plugin YITH WooCommerce Questions and Answers Security Bypass (1.1.9)

WordPress Plugin 10Web Map Builder for Google Maps SQL Injection (1.0.72)

WordPress Plugin MailChimp for WooCommerce Local File Inclusion (2.1.1)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11111)

WordPress Plugin Limit Attempts by BestWebSoft Cross-Site Scripting (1.1.7)

Severity

High

Classification

CVE-2020-24986 CWE-434 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities