Notre sélection d'alertes et avis SSI.
Sources : US Cert, Cert EU, Cert FR, Cnil, VulDB.

vendredi 14 décembre 2018

i-doit open 1.11.2 File Upload ZIP Archive Remote Code Execution

A vulnerability was found in i-doit open 1.11.2 and classified as critical. This issue affects an unknown function of the file /admin/?req=modules&action=add of the component File Upload. The manipulation as part of a ZIP Archive leads to a privilege escalation vulnerability (Code Execution). Using CWE to declare the problem leads to CWE-269. Impacted is confidentiality, integrity, and availability.

The weakness was presented 12/15/2018 as EDB-ID 45957 as uncorroborated exploit (Exploit-DB). It is possible to read the advisory at The identification of this vulnerability is CVE-2018-20159 since 12/14/2018. The attack may be initiated remotely. A single authentication is necessary for exploitation. Technical details as well as a public exploit are known.

After immediately, there has been an exploit disclosed. The exploit is available at

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.



VulDB Meta Base Score: 6.3
VulDB Meta Temp Score: 6.1

VulDB Base Score: 6.3
VulDB Temp Score: 6.1
VulDB Vector: 🔒
VulDB Reliability: 🔍


VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍


Class: Privilege escalation / Code Execution (CWE-269)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Download: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligence

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Actions: 🔍


Recommended: no mitigation known
0-Day Time: 🔒
Exploit Delay Time: 🔍


12/14/2018 CVE assigned
12/15/2018 Advisory disclosed
12/15/2018 Exploit disclosed
12/15/2018 EDB entry disclosed
12/16/2018 VulDB entry created
12/16/2018 VulDB last update


Advisory: EDB-ID 45957
Status: Uncorroborated

CVE: CVE-2018-20159 (🔒)


Created: 12/16/2018
Complete: 🔍

Lien vers l'article source

Auteur: VulDB

Catégories: VulDBNombre de vues: 281


Événements SSI