CVE-2019-12150

CRITICAL

Karamasoft UltimateEditor 1 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12150. PoCs published by Gr4y21.

Description

Karamasoft UltimateEditor 1 does not ensure that an uploaded file is an image or document (neither file types nor extensions are restricted). The attacker must use the Attach icon to perform an upload. An uploaded file is accessible under the UltimateEditorInclude/UserFiles/ URI.

Exploits (1)

github NO CODE

by Gr4y21 · poc

https://github.com/Gr4y21/My-CVE-IDs/tree/master/CVE-2019-12150

View Code ZIP pw:eip

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://www.karamasoft.com

Exploit, Third Party Advisory x_refsource_misc

https://github.com/Gr4y21/My-CVE-IDs/blob/master/CVE-2019-12150/Karamasoft%20Arbitrary%20File%20Upload

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0173

EPSS Percentile 74.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

karamasoft/ultimateeditor 1.0

Published May 24, 2019

Tracked Since Feb 18, 2026