CVE Catalog

CVE-2021-47936

Critical
Published: Translated: NVD NIST

Summary

OpenCATS version 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

Risk Assessment

This vulnerability poses a significant risk to organizations, allowing attackers to execute remote code, which can lead to system takeover. Unsecured applications may be exposed to various attacks, including data theft and resource destruction.

Recommendation

It is recommended to update OpenCATS to the latest version that addresses this vulnerability. Additionally, implement security measures such as scanning uploaded files and restricting allowed attachment types.

Original NVD description (English source)

OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS