CVE-2016-11020

moderate-risk
Published 2020-02-25

Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.

Do I need to act?

~
3.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 7f7696ce53b7a57c7affa5cf4190e07c5f105383
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Kunena

Affected Vendors

Kunena

References (6)

Patch https://github.com/Kunena/Kunena-Forum/pull/5028
Release Notes https://www.kunena.org/blog/179-kunena-5-0-4-released
Release Notes https://www.kunena.org/bugs/changelog
Patch https://github.com/Kunena/Kunena-Forum/pull/5028
Release Notes https://www.kunena.org/blog/179-kunena-5-0-4-released
Release Notes https://www.kunena.org/bugs/changelog
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal