GHSA-6r86-2jm9-9mh4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6r86-2jm9-9mh4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6r86-2jm9-9mh4/GHSA-6r86-2jm9-9mh4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6r86-2jm9-9mh4
- Aliases
- Published
- 2022-02-25T00:01:07Z
- Modified
- 2024-02-19T05:33:14.820017Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- File upload restriction bypass in Zenario CMS
- Details
-
Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server.
- Database specific
{ "nvd_published_at": "2022-02-24T15:15:00Z", "cwe_ids": [ "CWE-434" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-02-25T17:55:05Z" }- References
Affected packages
Packagist / tribalsystems/zenario
Package
- Name
- tribalsystems/zenario
- Purl
- pkg:composer/tribalsystems/zenario
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.2.55826
Affected versions
7.*
7.5.40440
7.5.41006
7.5.41499
7.5.41633
7.5.42085
7.5.42990
7.5.47180
7.6.41504
7.6.41633
7.6.42085
7.6.42990
7.6.47180
7.7.42682
7.7.42963
7.7.42990
7.7.44223
7.7.47180
7.7.47369
7.7.48583
8.*
8.0.44237
8.0.44273
8.0.44294
8.0.44521
8.0.45032
8.0.45250
8.0.45529
8.0.47180
8.0.48583
8.1.45530
8.1.45698
8.1.46089
8.1.46433
8.1.46615
8.1.47180
8.1.47369
8.1.48583
8.2.46436
8.2.46614
8.2.47180
8.2.47369
8.2.47992
8.2.48583
8.3.47997
8.3.48583
8.3.50564
8.4.50565
8.4.51340
8.5.50567
8.5.50837
8.5.51340
8.6.51342
8.7
8.8
8.8.53370
8.8.53725
8.8.54063
8.9.54063
8.9.54149
8.9.54153
8.9.55141
9.*
9.0.54156
9.0.55141
9.0.57473
9.1.55143
9.1.55510
9.1.55619
9.1.57473
9.2