Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-1w3g-1bcg-9fb7
Summary
Cross-Site Request Forgery (CSRF)
Cross Site Request Forgery (CSRF) in the `bolt/upload` File Upload feature in Bolt CMS allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the `file/edit/config/config.yml` configuration file.
Aliases
0
alias CVE-2019-10874
1
alias GHSA-3g6c-88pf-m46f
Fixed_packages
0
url pkg:composer/bolt/bolt@3.6.7
purl pkg:composer/bolt/bolt@3.6.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-66gv-4k2x-5bgp
1
vulnerability VCID-6nxv-q8hv-rkbt
2
vulnerability VCID-dj4e-fqt2-r3ap
3
vulnerability VCID-juxv-sxxr-s3d8
4
vulnerability VCID-m63y-x2d4-9ya4
5
vulnerability VCID-mdzj-jtgu-zycy
6
vulnerability VCID-mt2z-nyas-5qer
7
vulnerability VCID-u9hk-ce69-83gw
8
vulnerability VCID-uyas-urd2-puaz
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.7
Affected_packages
0
url pkg:composer/bolt/bolt@3.6.6
purl pkg:composer/bolt/bolt@3.6.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1w3g-1bcg-9fb7
1
vulnerability VCID-66gv-4k2x-5bgp
2
vulnerability VCID-6nxv-q8hv-rkbt
3
vulnerability VCID-dj4e-fqt2-r3ap
4
vulnerability VCID-juxv-sxxr-s3d8
5
vulnerability VCID-m63y-x2d4-9ya4
6
vulnerability VCID-mdzj-jtgu-zycy
7
vulnerability VCID-mt2z-nyas-5qer
8
vulnerability VCID-u9hk-ce69-83gw
9
vulnerability VCID-uyas-urd2-puaz
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.6
References
0
reference_url http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-10874
reference_id
reference_type
scores
0
value 0.00389
scoring_system epss
scoring_elements 0.60349
published_at 2026-06-07T12:55:00Z
1
value 0.00389
scoring_system epss
scoring_elements 0.60361
published_at 2026-06-06T12:55:00Z
2
value 0.00389
scoring_system epss
scoring_elements 0.60359
published_at 2026-06-05T12:55:00Z
3
value 0.00389
scoring_system epss
scoring_elements 0.60312
published_at 2026-06-04T12:55:00Z
4
value 0.00389
scoring_system epss
scoring_elements 0.60332
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-10874
2
reference_url https://fgsec.net/from-csrf-to-rce-bolt-cms
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://fgsec.net/from-csrf-to-rce-bolt-cms
3
reference_url https://github.com/bolt/bolt
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/bolt/bolt
4
reference_url https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4
5
reference_url https://www.exploit-db.com/exploits/46664
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/46664
6
reference_url https://www.exploit-db.com/exploits/46664/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/46664/
7
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html
reference_id CVE-2019-10874
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-10874
reference_id CVE-2019-10874
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-10874
9
reference_url https://github.com/advisories/GHSA-3g6c-88pf-m46f
reference_id GHSA-3g6c-88pf-m46f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3g6c-88pf-m46f
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 352
name Cross-Site Request Forgery (CSRF)
description The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
0
date_added 2019-04-08
description Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution
required_action null
due_date null
notes null
known_ransomware_campaign_use false
source_date_published 2019-04-08
exploit_type webapps
platform php
source_date_updated 2019-04-08
data_source Exploit-DB
source_url
Severity_range_score7.0 - 8.9
Exploitability2.0
Weighted_severity8.0
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-1w3g-1bcg-9fb7