CVE-2020-10963 – frozennode/administrator

Package

Manager: composer
Name: frozennode/administrator
Vulnerable Version: >=0 <=5.0.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.27747 pctl0.96275

Details

FrozenNode Laravel-Administrator unrestricted file upload FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via `admin/tips_image/image/file_upload` image upload with PHP content within a GIF image that has the `.php` extension. NOTE: this product is discontinued.

Metadata

Created: 2022-05-24T17:12:48Z
Modified: 2024-04-23T22:39:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r2j-rg24-fvpj/GHSA-9r2j-rg24-fvpj.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-9r2j-rg24-fvpj
Finding: F027
Auto approve: 1