Miggo Logo

CVE-2019-11401: SiteServer CMS RCE via unsafe file upload

7.2

CVSS Score
3.0

Basic Information

EPSS Score
0.84526%
Published
5/24/2022
Updated
8/25/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
sscmsnuget< 6.126.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Both functions use StringUtils.ReplaceIgnoreCase to remove 'as' substrings from filenames without proper validation. This allows crafted extensions like '.aassp' to become '.asp' after processing. The GitHub issue explicitly references these functions, and the patch (changing to PathUtils.GetSafeFilename) confirms the vulnerability. The CWE-434 mapping further supports the unsafe file upload mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* issu* w*s *is*ov*r** in Sit*S*rv*r *MS prior to v*rsion *.**. It *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** ****us* *n **ministr*tor **n *** t** p*rmitt** *il* *xt*nsion `.**ssp`, w*i** is *onv*rt** to `.*sp` ****us* t** "*s" su*strin* is **

Reasoning

*ot* *un*tions us* `Strin*Utils.R*pl***I*nor***s*` to r*mov* '*s' su*strin*s *rom `*il*n*m*s` wit*out prop*r v*li**tion. T*is *llows *r**t** *xt*nsions lik* '.**ssp' to ***om* '.*sp' **t*r pro**ssin*. T** `*it*u*` issu* *xpli*itly r***r*n**s t**s* *u