Description
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
Remediation
References
Related Vulnerabilities
MongoDb Out-of-bounds Write Vulnerability (CVE-2021-32040)
WordPress Plugin Product Addons & Fields for WooCommerce Unspecified Vulnerability (13.7)
Skipper Server-Side Request Forgery (SSRF) Vulnerability (CVE-2022-38580)
Play Framework Uncontrolled Recursion Vulnerability (CVE-2020-26882)
WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)