Vulnerability Details : CVE-2018-19422

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

Published 2018-11-21 21:29:00

Updated 2023-08-04 18:15:10

Source MITRE

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2018-19422

Probability of exploitation activity in the next 30 days: 84.31%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 98 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2018-19422

Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE

Disclosure Date : 2018-11-04

exploit/multi/http/subrion_cms_file_upload_rce

This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards. Authors: - Hexife - Fellipe Oliveira - Ismail E. Dawoodjee

More information

CVSS scores for CVE-2018-19422

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	[email protected]
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-19422

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

Assigned by: [email protected] (Primary)

References for CVE-2018-19422

http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html

Exploit;Third Party Advisory;VDB Entry
https://github.com/intelliants/subrion/issues/801

Exploit;Third Party Advisory
http://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.html

Products affected by CVE-2018-19422

Intelliants » Subrion Cms » Version: 4.2.1
cpe:2.3:a:intelliants:subrion_cms:4.2.1:*:*:*:*:*:*:*
Matching versions