CVE-2019-9572 - OpenCVE

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\Home\1_Static.php because of mishandling in the Application\Admin\Controller\ThemeController.class.php Upload() function.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schoolcms	Schoolcms

Configuration 1 [-]

cpe:2.3:a:schoolcms:schoolcms:2.3.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/PearlyNautilus/Security-Code-Review/issues/3

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-03-05T14:00:00Z

Updated: 2024-09-16T20:21:44.068Z

Reserved: 2019-03-05T00:00:00Z

Link: CVE-2019-9572

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-03-05T14:29:00.310

Modified: 2019-03-08T16:48:01.950

Link: CVE-2019-9572

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\\Home\\1_Static.php because of mishandling in the Application\\Admin\\Controller\\ThemeController.class.php Upload() function."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-05T14:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9572", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\\Home\\1_Static.php because of mishandling in the Application\\Admin\\Controller\\ThemeController.class.php Upload() function."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PearlyNautilus/Security-Code-Review/issues/3", "refsource": "MISC", "url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:54:44.890Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/3"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9572", "datePublished": "2019-03-05T14:00:00Z", "dateReserved": "2019-03-05T00:00:00Z", "dateUpdated": "2024-09-16T20:21:44.068Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schoolcms:schoolcms:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "5771AA83-65D9-4749-B0EF-E16796014643", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\\Home\\1_Static.php because of mishandling in the Application\\Admin\\Controller\\ThemeController.class.php Upload() function."}, {"lang": "es", "value": "SchoolCMS 2.3.1 permite la subida de archivos mediante la caracter\u00edstica de subida de temas en admin.php?m=adminc=themea=upload mediante el uso de la extensi\u00f3n .zip junto con la subcadena _Static, cambiando el tipo de contenido a application/zip y colocando c\u00f3digo PHP tras la cabecera ZIP. En \u00faltimo lugar, esto permite la ejecuci\u00f3n de c\u00f3digo PHP arbitrario en Public\\Home\\1_Static.php debido a la mala gesti\u00f3n en la funci\u00f3n Upload () en Application\\Admin\\Controller\\ThemeController.class.php."}], "id": "CVE-2019-9572", "lastModified": "2019-03-08T16:48:01.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-05T14:29:00.310", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/PearlyNautilus/Security-Code-Review/issues/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}