Arbitrary PHP Code Execution in Pixie 1.0.4 via Double Extension File Upload

Arbitrary PHP Code Execution in Pixie 1.0.4 via Double Extension File Upload

CVE-2017-7402 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg.

Learn more about our User Device Pen Test.