2 matches found
CVE-2015-5074
CVE-2015-5074 affects X2Engine X2CRM 4.2. An incomplete blacklist in FileUploadsFilter.php allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. This enables arbitrary file uploads and potential code execution on vulnerable installations. The i...
X2Engine 4.2 - Arbitrary File Upload
Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ Details: It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was listed in the following blacklist:...