Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (41 sloc) 1.79 KB
> Vendor: Karamasoft
> CVE ID: CVE-2019-12150
> Discoverer: Arvin Christopher Moreno
> Date Fixed: May 17, 2019
> UltimateEditor 1 does not ensure that an uploaded file is an image or document
> (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload.
> An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI.
> ------------------------------------------
> This vulnerability lets me upload arbitrary files to the file system.
> UltimateEditor's upload path does not restrict file types/extensions
> and because of this, was able to upload PHP5 and ASPX files on their
> file system. Using the ASPX shell, I was able to execute codes on the
> targets server. I was able to exploit this vulnerability on
> karamasoft's website itself >> . Here are
> the steps of the exploitation:
> Go to, click UltimateEditor on their homepage.
> Now, click the Live Demo.
> Click the Attach icon on the UltimateEditor and a small window should pop up.
> Click browse then file system would pop up and shows the upload path.
> upload your ASPX shell.
> Now here is a slightly tricky part.
> Click your ASPX shell. It doesn't preview right ?
> To solve this problem, click one of the uploaded images. It previews.
> Now, right click on the image and click view image. Then it shows you the file path.
> File Path:
> erase the image file name and replace it with the name + extension of your shell.
> Example:
> Gratz! You now have a shell access on the website/server.
You can’t perform that action at this time.