A vulnerability was found in BlackCat CMS 1.2 (Content Management System) and classified as critical. Affected by this issue is an unknown functionality of the file backend/media/ajax_upload.php of the component Media Upload. The manipulation as part of a ZIP Archive leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

In BlackCat CMS 1.2, remote authenticated users can upload any file via the media upload function in backend/media/ajax_upload.php, as demonstrated by a ZIP archive that contains a .php file.

The bug was discovered 08/24/2017. The weakness was released 08/31/2017 (Website). The advisory is shared for download at github.com. This vulnerability is handled as CVE-2017-13670 since 08/24/2017. The attack may be launched remotely. The successful exploitation needs a simple authentication. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1068.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:backend/media/ajax_upload.php it is possible to find vulnerable targets with Google Hacking.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 106020, 106019 and 106018.

Productinfo

Type

• Content Management System

Vendor

• BlackCat

Name

• CMS

Version

• 1.2

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion