Vulnerability Description
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kunena | Kunena | < 5.0.4 |
Related Weaknesses (CWE)
References
- https://github.com/Kunena/Kunena-Forum/pull/5028PatchThird Party Advisory
- https://www.kunena.org/blog/179-kunena-5-0-4-releasedRelease NotesVendor Advisory
- https://www.kunena.org/bugs/changelogRelease NotesVendor Advisory
- https://github.com/Kunena/Kunena-Forum/pull/5028PatchThird Party Advisory
- https://www.kunena.org/blog/179-kunena-5-0-4-releasedRelease NotesVendor Advisory
- https://www.kunena.org/bugs/changelogRelease NotesVendor Advisory
FAQ
What is CVE-2016-11020?
CVE-2016-11020 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
How severe is CVE-2016-11020?
CVE-2016-11020 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-11020?
Check the references section above for vendor advisories and patch information. Affected products include: Kunena Kunena.