Siteserver Cms
CVE-2019-11401
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted.
AnalysisAI
A issue was discovered in SiteServer CMS 6.9.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted. Affected products include: Siteserver Siteserver Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Siteserver Cms
View allSiteServer CMS v7.x allows attackers to execute arbitrary code via a crafted plug-in. Rated critical severity (CVSS 9.8)
A vulnerability, which was classified as problematic, was found in SiteServer CMS up to 7.2.1. Rated medium severity (CV
siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerabili
An arbitrary file read vulnerability in the ReadTextAsynchronous function of SSCMS v7.3.1 allows attackers to read arbit
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today