Vulnerability Details : CVE-2018-19422
Public exploit exists!
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Products affected by CVE-2018-19422
- cpe:2.3:a:intelliants:subrion_cms:4.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-19422
85.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2018-19422
-
Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE
Disclosure Date: 2018-11-04First seen: 2023-09-11exploit/multi/http/subrion_cms_file_upload_rceThis module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not inclu
CVSS scores for CVE-2018-19422
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2018-19422
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-19422
-
http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html
Subrion CMS 4.2.1 Shell Upload ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/intelliants/subrion/issues/801
Subrion allows to upload pht, phar extensions. · Issue #801 · intelliants/subrion · GitHubExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.html
Intelliants Subrion CMS 4.2.1 Remote Code Execution ≈ Packet Storm
Jump to