Vulnerability Details : CVE-2017-1000119
Public exploit exists!
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
Products affected by CVE-2017-1000119
- cpe:2.3:a:octobercms:october:1.0.412:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-1000119
67.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-1000119
-
October CMS Upload Protection Bypass Code Execution
Disclosure Date: 2017-04-25First seen: 2020-04-26exploit/multi/http/october_upload_bypass_execThis module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as
CVSS scores for CVE-2017-1000119
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2017-1000119
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-1000119
-
http://octobercms.com/support/article/rn-8
Release Note 8: Build 413 - Security fixes for Media Manager and Asset Manager - October CMSVendor Advisory
-
http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html
October CMS Upload Protection Bypass Code Execution ≈ Packet Storm
Jump to