-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from procedural code flow in apps/filemanager/handlers/upload/drop.php rather than a specific named function. The improper validation occurs because the file extension check (via preg_match) is performed on $_FILES['file']['name'] before urldecode() is applied to the filename. This allows attackers to bypass executable file restrictions using URL-encoded filenames. While the code block containing preg_match('/.(php5?|phtml|js|rb|py|pl|sh|bash|exe)$/i') is critical to the vulnerability, it is not encapsulated in a discrete named function but exists in the main script execution path.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| elefant/cms | composer | <= 2.0.3 | 2.0.4 |