CVE-2019-11185 - Vulnerability Details - OpenCVE

The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
3cx	Live Chat

Configuration 1 [-]

cpe:2.3:a:3cx:live_chat:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wordpress.org/plugins/wp-live-chat-support/#developers
https://wp-livechat.com/
https://wpvulndb.com/vulnerabilities/9320

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-03T20:34:53

Updated: 2024-08-04T22:48:08.128Z

Reserved: 2019-04-11T00:00:00

Link: CVE-2019-11185

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-03T21:29:00.490

Modified: 2024-11-21T04:20:41.470

Link: CVE-2019-11185

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending \"magic bytes\" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-03T20:34:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/wp-live-chat-support/#developers"}, {"tags": ["x_refsource_MISC"], "url": "https://wp-livechat.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9320"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11185", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending \"magic bytes\" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/wp-live-chat-support/#developers", "refsource": "MISC", "url": "https://wordpress.org/plugins/wp-live-chat-support/#developers"}, {"name": "https://wp-livechat.com/", "refsource": "MISC", "url": "https://wp-livechat.com/"}, {"name": "https://wpvulndb.com/vulnerabilities/9320", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9320"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:08.128Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/wp-live-chat-support/#developers"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wp-livechat.com/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpvulndb.com/vulnerabilities/9320"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11185", "datePublished": "2019-06-03T20:34:53", "dateReserved": "2019-04-11T00:00:00", "dateUpdated": "2024-08-04T22:48:08.128Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:3cx:live_chat:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "67BCD490-D917-4DCD-9A08-73158864786C", "versionEndExcluding": "8.0.26", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending \"magic bytes\" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension."}, {"lang": "es", "value": "El plugin WP Live Chat Support Pro a trav\u00e9s de 8.0.26 para WordPress contiene una vulnerabilidad de carga de archivos arbitraria. Esto resulta de un ajuste incompleto para CVE-2018-12426. La carga arbitraria de archivos se logra utilizando una extensi\u00f3n de archivo ejecutable no incluida en la lista negra junto con una extensi\u00f3n de archivo en la lista blanca, y a\u00f1adiendo \"bytes m\u00e1gicos\" a la carga \u00fatil para pasar las comprobaciones MIME. Espec\u00edficamente, un usuario remoto no identificado env\u00eda una solicitud POST de carga de archivos dise\u00f1ada al punto final REST api remote_upload. El archivo contiene datos que enga\u00f1ar\u00e1n al cheque MIME del plugin al clasificarlo como una imagen (que es una extensi\u00f3n de archivo en la lista blanca) y, finalmente, una extensi\u00f3n de archivo .phtml final."}], "id": "CVE-2019-11185", "lastModified": "2024-11-21T04:20:41.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-03T21:29:00.490", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://wordpress.org/plugins/wp-live-chat-support/#developers"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wp-livechat.com/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://wordpress.org/plugins/wp-live-chat-support/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wp-livechat.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9320"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}