Vulnerability Description
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Leefish | File Thingie | <= 2.5.7 |
Related Weaknesses (CWE)
References
- https://github.com/leefish/filethingie/archive/master.zipProduct
- https://www.exploit-db.com/exploits/47349ExploitThird Party AdvisoryVDB Entry
- https://www.vulncheck.com/advisories/filethingie-arbitrary-file-upload-via-ft2-pThird Party Advisory
FAQ
What is CVE-2019-25471?
CVE-2019-25471 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files c...
How severe is CVE-2019-25471?
CVE-2019-25471 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-25471?
Check the references section above for vendor advisories and patch information. Affected products include: Leefish File Thingie.