Unrestricted Avatar File Extensions in Kunena before 5.0.4: XSS and Remote Code Execution Vulnerability

Unrestricted Avatar File Extensions in Kunena before 5.0.4: XSS and Remote Code Execution Vulnerability

CVE-2016-11020 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.

Learn more about our Web Application Penetration Testing UK.