Description
Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP-Live Chat by 3CX Cross-Site Scripting (4.0.2)
WebLogic CVE-2021-1995 Vulnerability (CVE-2021-1995)
Vulnerable package dependencies [high]
WordPress Plugin YARPP-Yet Another Related Posts Multiple Vulnerabilities (4.2.4)
WordPress Plugin Accept Donations with PayPal Cross-Site Scripting (1.3.1)