CVE-2018-25353
HighSummary
Redaxo CMS Mediapool Addon version 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files using obfuscated extensions to evade the blacklist filter.
Risk Assessment
The organization is at risk of arbitrary code execution by attackers, which could lead to system and data compromise. Exploitation of this vulnerability may result in severe consequences for system security and integrity.
Recommendation
It is recommended to update Redaxo CMS Mediapool Addon to the latest version to eliminate this vulnerability. Additionally, implementing further security measures to monitor and control uploaded files is advisable.
Original NVD description (English source)
Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the blacklist filter and execute arbitrary code.

