GHSA-cxj7-4jpj-2q38

Source

https://github.com/advisories/GHSA-cxj7-4jpj-2q38

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cxj7-4jpj-2q38/GHSA-cxj7-4jpj-2q38.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cxj7-4jpj-2q38

Aliases

CVE-2019-16318

Published

2022-05-24T16:56:12Z

Modified

2025-01-08T05:56:48.034414Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Pimcore Unrestricted Upload of File with Dangerous Type

Details

In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.

Database specific

{
    "severity": "HIGH",
    "github_reviewed_at": "2024-04-24T17:23:56Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2019-09-14T18:15:00Z"
}

References

Affected packages

Packagist / pimcore/pimcore

Package

Name: pimcore/pimcore
Purl: pkg:composer/pimcore/pimcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.7.1

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.0

3.1.1

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

v5.*

v5.0.0-RC

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0-alpha

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v5.2.1

v5.2.2

v5.2.3

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.7.0