Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-09T00:00:00

Updated: 2024-08-03T12:28:42.623Z

Reserved: 2022-09-19T00:00:00

Link: CVE-2022-40797

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-11-09T07:15:09.347

Modified: 2024-11-21T07:22:03.370

Link: CVE-2022-40797

cve-icon Redhat

No data.