CVE-2018-3814 — Unrestricted File Upload in Craft CMS

CWE-434 — Unrestricted File Upload5 documents4 sources

Severity

8.8HIGHNVD

OSV6.5

EPSS

0.7%

top 27.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clamav Craftcms CMS Craftcms Craft CMS

Timeline

PublishedJan 1

Latest updateMay 13

Description

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Packagistcraftcms/cms2.6.3000

▶NVDcraftcms/craft_cms2.6.3000

▶Ubuntuclamav/clamav< 0.100.2+dfsg-1ubuntu0.14.04.2

🔴Vulnerability Details

OSV

Craft CMS PHP Code Injection Vulnerability↗2022-05-13

▶

GHSA

Craft CMS PHP Code Injection Vulnerability↗2022-05-13

▶

OSV

clamav vulnerabilities↗2018-11-13

▶

CVEList

CVE-2018-3814: Craft CMS 2↗2018-01-01

▶