cbcvebase.
CVE-2018-1000811
published 2018-12-20

CVE-2018-1000811: bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote…

PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
47.64%
98.7th percentile
bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code.

Affected

1 ranges
VendorProductVersion rangeFixed in
bluditbludit

Detection & IOCsextracted from sources · hover to see the quote

url/admin/ajax/upload-files
filenamepoc.php
  • Detect multipart file upload requests to /admin/ajax/upload-files where the uploaded filename has a .php extension but the declared Content-Type is image/png, indicating MIME-type spoofing for PHP webshell upload.
  • Monitor POST requests to /admin/ajax/upload-files originating from authenticated sessions (BLUDIT-KEY cookie present) with a multipart body containing PHP files disguised as images.
  • Alert on the presence of the X-Requested-With: XMLHttpRequest header combined with a multipart upload to the Bludit upload endpoint, as the exploit relies on AJAX-based file upload to bypass restrictions.
  • The exploit targets Bludit version 3.0.0 specifically; flag or block requests to the upload endpoint from installations reporting this version.
  • ·The exploit requires an authenticated session (valid BLUDIT-KEY cookie and CSRF token), meaning the attacker must already have a valid user account or have stolen credentials before exploiting the file upload vulnerability.
  • ·A valid tokenCSRF value must be supplied in the POST body, so detection rules should not rely solely on missing CSRF tokens as an indicator — the attacker will have a legitimate token from an authenticated session.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.