漏洞类别:CGI
漏洞等级: 
漏洞信息
X2Engine X2CRM is an open source Customer Relationship Management CRM software. X2CRM is a fast and compact enterprise grade marketing, sales and customer service application designed for small business.
The 'FileUploadsFilter' class in 'FileUploadsFilter.php' in X2Engine X2CRM does not properly blacklist malicious files thus allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
Affected Versions:
X2Engine X2CRM versions prior to 5.0.9
漏洞危害
An authenticated remote attacker can exploit this vulnerability to upload malicious '.pht' file on the system to execute arbitrary code.
解决方案
Customers are advised to upgrade to the latest version of X2CRM.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论