CVE-2019-12150

CRITICAL

Karamasoft UltimateEditor 1 - Info Disclosure

Title source: llm

Description

Karamasoft UltimateEditor 1 does not ensure that an uploaded file is an image or document (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload. An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI.

Exploits (1)

github NO CODE

by Gr4y21 · poc

https://github.com/Gr4y21/My-CVE-IDs/tree/master/CVE-2019-12150

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/Gr4y21/My-CVE-IDs/blob/master/CVE-2019-12150/Karamasoft%20Arbitrary%20File%20Upload

View Exploit ZIP pw:eip

[Product, Vendor Advisory] https://www.karamasoft.com

Scores

CVSS v3 9.8

EPSS 0.0061

EPSS Percentile 69.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

karamasoft/ultimateeditor 1.0

Published May 24, 2019

Tracked Since Feb 18, 2026