How severe is CVE-2018-11091?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2018-11091?

This is classified as CWE-434, which is a common weakness in software security.

CVE-2018-11091

CRITICAL Year: 2018

CVSS v3 Score

9.9

Critical

CVSS v2 Score

9.0

Critical

Weakness Type

CWE-434

View all →

Vulnerability Description

An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server.

CVE-2015-5951

CRITICAL

CVSS:9.9(Critical)

A file upload issue exists in the specid parameter in Thomson Reuters FATCH before 5.2, which allows malicious users to upload arbitrary PHP files to the web root and execute system commands.

CWE-4342015

CVE-2018-1969

CRITICAL

CVSS:9.9(Critical)

IBM Security Identity Manager 6.0.0 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 153750.

CWE-4342018

CVE-2018-3832

CRITICAL

CVSS:9.9(Critical)

An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access t...

CWE-4342018

CVE-2019-17536

CRITICAL

CVSS:9.9(Critical)

Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.

CWE-4342019

CVE-2019-4013

CRITICAL

CVSS:9.9(Critical)

IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileg...

CWE-4342019

CVE-2019-8992

CRITICAL

CVSS:9.9(Critical)

The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix...

CWE-4342019

CVE-2018-11091

Vulnerability Description

Related Vulnerabilities

CVE-2015-5951

CVE-2018-1969

CVE-2018-3832

CVE-2019-17536

CVE-2019-4013

CVE-2019-8992