CVE-2019-16113 : Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .j

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

Published 2019-09-08 21:15:11

Updated 2022-04-26 20:08:43

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversalExecute code

Exploit prediction scoring system (EPSS) score for CVE-2019-16113

Probability of exploitation activity in the next 30 days: 91.13%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2019-16113

Bludit Directory Traversal Image File Upload Vulnerability

Disclosure Date: 2019-09-07

First seen: 2020-04-26

exploit/linux/http/bludit_upload_images_exec

This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally

More information

CVSS scores for CVE-2019-16113

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-16113

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-16113

http://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.html

Bludit Directory Traversal Image File Upload ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/157988/Bludit-3.9.12-Directory-Traversal.html

Bludit 3.9.12 Directory Traversal ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/158569/Bludit-3.9.2-Directory-Traversal.html

Bludit 3.9.2 Directory Traversal ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://github.com/bludit/bludit/issues/1081

Bludit v3.9.2 Code Execution Vulnerability in "Upload function" · Issue #1081 · bludit/bludit · GitHub
Exploit;Third Party Advisory

Products affected by CVE-2019-16113

Bludit » Bludit » Version: 3.9.2
cpe:2.3:a:bludit:bludit:3.9.2:*:*:*:*:*:*:*
Matching versions