CVE-2019-10874 in Bolt
Summary
by MITRE
Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS 3.6.6 allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/09/2025
The vulnerability identified as CVE-2019-10874 represents a critical cross site request forgery flaw within the Bolt CMS 3.6.6 file upload functionality. This vulnerability specifically targets the bolt/upload module and creates a pathway for remote attackers to execute arbitrary code through strategic file manipulation. The flaw stems from insufficient validation mechanisms that fail to properly sanitize file uploads, particularly when attackers attempt to upload JavaScript files that can be subsequently executed within the application context. The vulnerability is particularly dangerous because it leverages the legitimate file upload feature to gain unauthorized code execution privileges, bypassing normal security controls that would typically prevent such malicious activity.
The technical implementation of this vulnerability occurs through the manipulation of the file/edit/config/config.yml configuration file, which serves as a critical component in Bolt CMS's operational framework. When an attacker successfully uploads a JavaScript file through the vulnerable upload mechanism, they can then leverage the configuration file to include and execute this malicious code. This process demonstrates a classic privilege escalation attack vector where a low-privilege user can gain elevated system access through the application's own file handling processes. The vulnerability operates at the intersection of web application security and configuration management, exploiting the trust model that exists between the CMS and its configuration files.
From an operational impact perspective, this vulnerability creates severe consequences for organizations using Bolt CMS 3.6.6 as it allows attackers to execute arbitrary code remotely without requiring authentication. The ability to upload and execute JavaScript files through the configuration file presents attackers with opportunities to establish persistent backdoors, exfiltrate sensitive data, or compromise entire server environments. This vulnerability directly impacts the integrity and availability of the web application, potentially leading to complete system compromise. The attack surface is particularly concerning given that the vulnerability exists within a core file management feature that is frequently used by legitimate users, making detection more difficult and exploitation more likely.
The security implications of CVE-2019-10874 align with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities in web applications. This classification indicates that the vulnerability stems from insufficient anti-CSRF protections that allow attackers to perform unauthorized actions on behalf of authenticated users. The ATT&CK framework categorizes this vulnerability under the T1059.007 technique for "Command and Scripting Interpreter: JavaScript' and T1566.001 for 'Phishing: Spearphishing Attachment'. The vulnerability also maps to T1078.004 for 'Valid Accounts: Cloud Accounts' since successful exploitation could lead to account compromise and further lateral movement within the network infrastructure. Organizations should prioritize immediate remediation through patching the Bolt CMS to version 3.6.7 or later, implementing additional input validation measures, and establishing monitoring protocols to detect unauthorized file uploads and configuration changes.
Mitigation strategies should include immediate patch deployment to upgrade to Bolt CMS version 3.6.7 or higher, which contains the necessary fixes for this vulnerability. Additional defensive measures involve implementing strict file type validation and content inspection for all uploaded files, particularly those that could be interpreted as executable or configuration files. Network segmentation and web application firewalls can provide additional layers of protection by monitoring and blocking suspicious upload patterns. Regular security auditing of configuration files and implementing automated monitoring for unauthorized changes to the config.yml file can help detect exploitation attempts. Organizations should also establish robust incident response procedures that include forensic analysis capabilities to identify and contain potential compromise scenarios resulting from this vulnerability. The remediation process should include comprehensive testing of the patched environment to ensure that legitimate functionality remains intact while addressing the security flaw.