CVE-2019-11401

EUVD-2022-3756
A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
siteserversiteserver_cms
6.9.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/siteserver/cms/issues/1858
https://github.com/siteserver/cms/issues/1858