CVE-2018-3814: Injection Vulnerability

January 1, 2018 (updated January 17, 2018)

Craft CMS allows remote attackers to execute arbitrary PHP code by using the Assets->Upload files screen and then the Replace it option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.

References

nvd.nist.gov/vuln/detail/CVE-2018-3814

Code Behaviors & Features

Detect and mitigate CVE-2018-3814 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →