CVE-2019-11074
HIGHPaessler Prtg Network Monitor < 19.1.49 - Unrestricted File Upload
Title source: ruleDescription
A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Full Web Page Sensor and set specific settings when executing the sensor.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.paessler.com/prtg/history/stable
Exploit, Third Party Advisory x_refsource_misc
https://sensepost.com/blog/2019/being-stubborn-pays-off-pt.-1-cve-2018-19204/
Release Notes, Third Party Advisory x_refsource_misc
https://how2itsec.blogspot.com/2019/10/security-fixes-in-prtg-1935152.html
Scores
CVSS v3
7.2
EPSS
0.0372
EPSS Percentile
88.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
paessler/prtg_network_monitor
< 19.1.49
Published
Mar 17, 2020
Tracked Since
Feb 18, 2026