CVE-2019-15862: Malicious File Upload
First published: Thu Sep 26 2019(Updated: )
An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a defined set of extensions). This affects CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion, and CKFinder for PHP.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CKSource CKFinder | <2.6.3 | |
| CKSource CKFinder | <2.6.3 | |
| CKSource CKFinder | <2.6.3 | |
| CKSource CKFinder | <2.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2019-15862?
CVE-2019-15862 is a vulnerability in CKFinder through 2.6.2.1 that allows remote attackers to upload files without any extension.
How does CVE-2019-15862 affect CKFinder?
CVE-2019-15862 affects CKFinder versions up to 2.6.2.1.
What is the severity of CVE-2019-15862?
CVE-2019-15862 has a severity rating of 7.5 (High).
Which software versions are affected by CVE-2019-15862?
CKFinder versions up to 2.6.2.1 for ASP, ASP.NET, ColdFusion, and PHP are affected by CVE-2019-15862.
How can I fix CVE-2019-15862?
To fix CVE-2019-15862, update CKFinder to version 2.6.3 or later.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cksource
- canonical/cksource ckfinder