cbcvebase.
CVE-2019-18952
published 2019-11-13

CVE-2019-18952: SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.36%
98.6th percentile
SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload. This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.

Affected

1 ranges
VendorProductVersion rangeFixed in
sibsoftxfilesharing<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/up.cgi
path/cgi-bin/up.cgi
path/cgi-bin/temp/
filename*.php
othershodan-query: html:"/?op=registration" "OpenSSL"
  • Monitor for multipart file upload POST requests to /cgi-bin/up.cgi with a custom X-Requested-With: XMLHttpRequest header, which is the attack vector for this arbitrary file upload vulnerability.
  • Alert on PHP (or other executable) files uploaded to and subsequently accessed under /cgi-bin/temp/, indicating successful exploitation and potential remote code execution.
  • CVE-2019-18952 can be chained with CVE-2019-18951 to achieve RCE via a .html file containing short codes served over HTTP; monitor for .html file uploads to /cgi-bin/up.cgi as well.
  • Use the Shodan dork to identify exposed SibSoft Xfilesharing instances: search for html:"/?op=registration" combined with "OpenSSL".
  • ·The upload endpoint uses a multipart form-data 'sid' field to specify a subdirectory under /cgi-bin/temp/ where the uploaded file is stored; the attacker controls this path value.
  • ·No authentication is required to exploit this vulnerability (CVSS PR:N), meaning the upload endpoint /cgi-bin/up.cgi is publicly accessible.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.