High severity8.8OSV Advisory· Published Nov 11, 2018· Updated Jun 17, 2026
CVE-2018-19135
CVE-2018-19135
Description
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatically upload files (by default, it allows html, pdf, xml, zip, and many other file types). A file can be accessed publicly under the "/assets/files" directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2clipper_1.2.0, clipper_1.3.0, clipper_1.3.1, …+ 1 more
- (no CPE)range: clipper_1.2.0, clipper_1.3.0, clipper_1.3.1, …
- (no CPE)range: <=1.3.3
Patches
Vulnerability mechanics
References
2- github.com/ClipperCMS/ClipperCMS/issues/494nvdExploitIssue TrackingThird Party Advisory
- www.exploit-db.com/exploits/45839/nvdExploitThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.