VYPR
High severity8.8OSV Advisory· Published Nov 11, 2018· Updated Jun 17, 2026

CVE-2018-19135

CVE-2018-19135

Description

ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatically upload files (by default, it allows html, pdf, xml, zip, and many other file types). A file can be accessed publicly under the "/assets/files" directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Clippercms/ClippercmsOSV2 versions
    clipper_1.2.0, clipper_1.3.0, clipper_1.3.1, …+ 1 more
    • (no CPE)range: clipper_1.2.0, clipper_1.3.0, clipper_1.3.1, …
    • (no CPE)range: <=1.3.3

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.