An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha2:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha3:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha4:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha5:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha6:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha7:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha8:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:alpha:*:*:*:*:*:*",
"cpe:2.3:a:horizontcms_project:horizontcms:1.0.0:beta:*:*:*:*:*:*"
],
"vendor_product": "horizontcms_project:horizontcms",
"extracted_events": [
{
"introduced": "1.0.0-alpha"
},
{
"last_affected": "1.0.0-alpha"
},
{
"introduced": "1.0.0-alpha2"
},
{
"last_affected": "1.0.0-alpha2"
},
{
"introduced": "1.0.0-alpha3"
},
{
"last_affected": "1.0.0-alpha3"
},
{
"introduced": "1.0.0-alpha4"
},
{
"last_affected": "1.0.0-alpha4"
},
{
"introduced": "1.0.0-alpha5"
},
{
"last_affected": "1.0.0-alpha5"
},
{
"introduced": "1.0.0-alpha6"
},
{
"last_affected": "1.0.0-alpha6"
},
{
"introduced": "1.0.0-alpha7"
},
{
"last_affected": "1.0.0-alpha7"
},
{
"introduced": "1.0.0-alpha8"
},
{
"last_affected": "1.0.0-alpha8"
},
{
"introduced": "1.0.0-beta"
},
{
"last_affected": "1.0.0-beta"
}
],
"source": "CPE_STRING"
}
]
}