Description
Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.kunena.org/bugs/changelog
Patch, Third Party Advisory x_refsource_misc
https://github.com/Kunena/Kunena-Forum/pull/5028
Release Notes, Vendor Advisory x_refsource_misc
https://www.kunena.org/blog/179-kunena-5-0-4-released
Scores
CVSS v3
9.8
EPSS
0.0339
EPSS Percentile
87.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
kunena/kunena
< 5.0.4
Published
Feb 25, 2020
Tracked Since
Feb 18, 2026