CVE-2019-15862: Malicious File Upload

Q: What is CVE-2019-15862?

CVE-2019-15862 is a vulnerability in CKFinder through 2.6.2.1 that allows remote attackers to upload files without any extension.

Q: How does CVE-2019-15862 affect CKFinder?

CVE-2019-15862 affects CKFinder versions up to 2.6.2.1.

Q: What is the severity of CVE-2019-15862?

CVE-2019-15862 has a severity rating of 7.5 (High).

Q: Which software versions are affected by CVE-2019-15862?

CKFinder versions up to 2.6.2.1 for ASP, ASP.NET, ColdFusion, and PHP are affected by CVE-2019-15862.

Q: How can I fix CVE-2019-15862?

To fix CVE-2019-15862, update CKFinder to version 2.6.3 or later.

Published Sep 26, 2019

Updated

An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.

Affected Software

4 affected components

CKSource Ckfinder Asp<2.6.3

CKSource Ckfinder Asp.net<2.6.3

CKSource Ckfinder Coldfusion<2.6.3

CKSource Ckfinder Php<2.6.3

Event History

Sep 26, 2019

CVE Published

via MITRE·08:50 PM

Data Sourced

via MITRE·08:50 PM

Description

Frequently Asked Questions

What is CVE-2019-15862?

CVE-2019-15862 is a vulnerability in CKFinder through 2.6.2.1 that allows remote attackers to upload files without any extension.

How does CVE-2019-15862 affect CKFinder?

CVE-2019-15862 affects CKFinder versions up to 2.6.2.1.

What is the severity of CVE-2019-15862?

CVE-2019-15862 has a severity rating of 7.5 (High).

Which software versions are affected by CVE-2019-15862?

CKFinder versions up to 2.6.2.1 for ASP, ASP.NET, ColdFusion, and PHP are affected by CVE-2019-15862.

How can I fix CVE-2019-15862?