{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40869?format=json","vulnerability_id":"VCID-1w3g-1bcg-9fb7","summary":"Cross-Site Request Forgery (CSRF)\nCross Site Request Forgery (CSRF) in the `bolt/upload` File Upload feature in Bolt CMS allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the `file/edit/config/config.yml` configuration file.","aliases":[{"alias":"CVE-2019-10874"},{"alias":"GHSA-3g6c-88pf-m46f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57729?format=json","purl":"pkg:composer/bolt/bolt@3.6.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-dj4e-fqt2-r3ap"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"},{"vulnerability":"VCID-u9hk-ce69-83gw"},{"vulnerability":"VCID-uyas-urd2-puaz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.7"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57728?format=json","purl":"pkg:composer/bolt/bolt@3.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1w3g-1bcg-9fb7"},{"vulnerability":"VCID-66gv-4k2x-5bgp"},{"vulnerability":"VCID-6nxv-q8hv-rkbt"},{"vulnerability":"VCID-dj4e-fqt2-r3ap"},{"vulnerability":"VCID-juxv-sxxr-s3d8"},{"vulnerability":"VCID-m63y-x2d4-9ya4"},{"vulnerability":"VCID-mdzj-jtgu-zycy"},{"vulnerability":"VCID-mt2z-nyas-5qer"},{"vulnerability":"VCID-u9hk-ce69-83gw"},{"vulnerability":"VCID-uyas-urd2-puaz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/bolt/bolt@3.6.6"}],"references":[{"reference_url":"http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/152429/Bolt-CMS-3.6.6-Cross-Site-Request-Forgery-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10874","reference_id":"","reference_type":"","scores":[{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60349","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60361","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60359","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60312","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60332","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10874"},{"reference_url":"https://fgsec.net/from-csrf-to-rce-bolt-cms","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://fgsec.net/from-csrf-to-rce-bolt-cms"},{"reference_url":"https://github.com/bolt/bolt","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt"},{"reference_url":"https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bolt/bolt/pull/7768/commits/91187aef36363a870d60b0a3c1bf8507af34c9e4"},{"reference_url":"https://www.exploit-db.com/exploits/46664","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/46664"},{"reference_url":"https://www.exploit-db.com/exploits/46664/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46664/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html","reference_id":"CVE-2019-10874","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46664.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10874","reference_id":"CVE-2019-10874","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10874"},{"reference_url":"https://github.com/advisories/GHSA-3g6c-88pf-m46f","reference_id":"GHSA-3g6c-88pf-m46f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3g6c-88pf-m46f"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":352,"name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[{"date_added":"2019-04-08","description":"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution","required_action":null,"due_date":null,"notes":null,"known_ransomware_campaign_use":false,"source_date_published":"2019-04-08","exploit_type":"webapps","platform":"php","source_date_updated":"2019-04-08","data_source":"Exploit-DB","source_url":""}],"severity_range_score":"7.0 - 8.9","exploitability":"2.0","weighted_severity":"8.0","risk_score":10.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1w3g-1bcg-9fb7"}