zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including. No one can run PHP by uploading an image in current version." It also requires authentication
References
Link | Resource |
---|---|
https://github.com/novysodope/Z-BlogPHP1.5Zero/blob/master/Getshell | Broken Link Third Party Advisory |
https://github.com/zblogcn/zblogphp/issues/205 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-11-22T21:00:00
Updated: 2019-03-04T21:57:01
Reserved: 2018-11-22T00:00:00
Link: CVE-2018-19463
JSON object: View
NVD Information
Status : Modified
Published: 2018-11-22T21:29:00.227
Modified: 2024-05-17T01:26:06.350
Link: CVE-2018-19463
JSON object: View
Redhat Information
No data.
CWE