CVE-2014-4912
published 2018-03-22CVE-2014-4912: An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.51%
94.4th percentile
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frog_cms_project | frog_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the file_manager plugin upload endpoint (/admin/?/plugin/file_manager/) for uploads of executable file types (e.g., .php), indicating exploitation of missing extension validation. ↗
- →Alert on PHP (or other executable script) files appearing under the /public/images/ web-accessible directory, as this is the expected drop location for uploaded webshells. ↗
- →Unauthenticated HTTP requests to files placed under /public/images/ should be treated as potential webshell execution attempts, since no authentication is required to trigger uploaded files. ↗
- ·All authenticated CMS users (not just admins) have upload capability, broadening the attack surface beyond privileged accounts. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-67pw-fcv6-74xx: An issue was discovered in Frog CMS 0
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2018-11098 [CRITICAL] CWE-434 GHSA-67pw-fcv6-74xx: An issue was discovered in Frog CMS 0
An issue was discovered in Frog CMS 0.9.5. There is a file upload vulnerability via the admin/?/plugin/file_manager/upload URI, a similar issue to CVE-2014-4912.
GHSA
GHSA-8gqp-wcpc-j87c: An Arbitrary File Upload issue was discovered in Frog CMS 0
ghsa_unreviewed·2022-05-14
CVE-2014-4912 [CRITICAL] CWE-434 GHSA-8gqp-wcpc-j87c: An Arbitrary File Upload issue was discovered in Frog CMS 0
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
No detection rules found.
No writeups or analysis indexed.
2018-03-22
Published