CVE-2019-18643 in Rock RMSinfo

Summary

by MITRE • 01/08/2021

Rock RMS versions before 8.10 and versions 9.0 through 9.3 fails to properly validate files uploaded in the application. The only protection mechanism is a file-extension blacklist that can be bypassed by adding multiple spaces and periods after the file name. This could allow an attacker to upload ASPX code and gain remote code execution on the application. The application typically runs as LocalSystem as mandated in the installation guide. Patched in versions 8.10 and 9.4.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Disclosure

01/08/2021

Moderation

accepted

Entry

VDB-167429

CPE

ready

CWE

CWE-434 (confirmed)

CVSS

6.3 (VulDB)

EPSS

0.04098

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2019-18643
NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-18643
CVE Details	https://www.cvedetails.com/cve/CVE-2019-18643/

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!