CyberSec.Space Logo
Back to CVE Browser

CVE-2019-12185

HIGH
8.8
CVSS Severity Score
EPSS Score0.0460%
EPSS Percentile17.28th
PublishedMay 20, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

Affected Platforms (CPE)

πŸ“¦
Elabftw

Elabftw

= 1.8.5

References & Advisories

πŸ”— http://incidentsecurity.com/elabftw-1-8-5-entitycontroller-arbitrary-file-upload-rce/
πŸ”— https://github.com/fuzzlove/eLabFTW-1.8.5-EntityController-Arbitrary-File-Upload-RCE
πŸ”— http://incidentsecurity.com/elabftw-1-8-5-entitycontroller-arbitrary-file-upload-rce/
πŸ”— https://github.com/fuzzlove/eLabFTW-1.8.5-EntityController-Arbitrary-File-Upload-RCE

Related Vulnerabilities

CVE-2021-438349.1

eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows...

CVE-2021-438338.1

eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows...

CVE-2021-326986.8

eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on...

CVE-2021-411715.9

eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attac...

CVE-2019-12185 Detail & Impact Analysis | CVSS 8.8 (HIGH) | Cyber-Sec.Space | Cyber-Sec.Space