{"id":"CVE-2019-11401","details":"A issue was discovered in SiteServer CMS 6.9.0. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the \"as\" substring is deleted.","aliases":["GHSA-ff4w-8chr-w2x9"],"modified":"2026-04-11T21:43:49.194552Z","published":"2019-04-22T11:29:04.313Z","references":[{"type":"EVIDENCE","url":"https://github.com/siteserver/cms/issues/1858"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/siteserver/cms","events":[{"introduced":"0"},{"last_affected":"5e04df46b9d73fa75189c93ba58521023129fca7"}],"database_specific":{"cpe":"cpe:2.3:a:siteserver:siteserver_cms:6.9.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"6.9.0"}]}}],"versions":["siteserver-dev-v5.0.18","siteserver-dev-v5.0.22","siteserver-dev-v5.0.23","siteserver-dev-v5.0.24","siteserver-dev-v5.0.25","siteserver-dev-v5.0.37","siteserver-dev-v5.0.40","siteserver-dev-v5.0.53","siteserver-dev-v5.0.55","siteserver-v5.0.126","siteserver-v5.0.127","siteserver-v5.0.128","siteserver-v5.0.135","siteserver-v5.0.136","siteserver-v5.0.143","siteserver-v5.0.145","siteserver-v5.0.15","siteserver-v5.0.78","siteserver-v5.0.81","siteserver-v5.0.82","siteserver-v6.0.0-rc1","siteserver-v6.0.210-rc1","siteserver-v6.0.211-preview","siteserver-v6.0.212-preview","siteserver-v6.0.214-preview","siteserver-v6.0.215-preview","siteserver-v6.0.216-preview","siteserver-v6.0.218-rc2","siteserver-v6.0.219-preview","siteserver-v6.0.220-rc2","siteserver-v6.0.222-preview","siteserver-v6.0.224-preview","siteserver-v6.0.225-preview","siteserver-v6.0.226-preview","siteserver-v6.0.227-preview","siteserver-v6.0.228-preview","siteserver-v6.0.229-preview","siteserver-v6.0.230-preview","siteserver-v6.0.231","siteserver-v6.0.232-preview","siteserver-v6.0.233","siteserver-v6.0.240-preview","siteserver-v6.0.241-preview","siteserver-v6.0.242-preview","siteserver-v6.0.243","siteserver-v6.0.244-preview","siteserver-v6.0.245-preview","siteserver-v6.0.246","siteserver-v6.0.247-preview","siteserver-v6.0.248-preview","siteserver-v6.0.249-preview","siteserver-v6.0.250-preview","siteserver-v6.0.251-preview","siteserver-v6.0.252-preview","siteserver-v6.0.253-preview","siteserver-v6.0.254-preview","siteserver-v6.0.255-preview","siteserver-v6.0.256-preview","siteserver-v6.0.257-preview","siteserver-v6.0.258-preview","siteserver-v6.0.259-preview","siteserver-v6.0.{build}-rc1","siteserver-v6.1.0-preview","siteserver-v6.1.1","siteserver-v6.1.10-preview","siteserver-v6.1.11-preview","siteserver-v6.1.14-beta","siteserver-v6.1.15-beta","siteserver-v6.1.16-beta","siteserver-v6.1.17-beta","siteserver-v6.1.18-beta","siteserver-v6.1.19-beta","siteserver-v6.1.2-preview","siteserver-v6.1.20-beta","siteserver-v6.1.21-beta","siteserver-v6.1.22-beta","siteserver-v6.1.23-beta","siteserver-v6.1.24-beta","siteserver-v6.1.25-beta","siteserver-v6.1.26-beta","siteserver-v6.1.27-beta","siteserver-v6.1.3","siteserver-v6.1.4-preview","siteserver-v6.1.5-preview","siteserver-v6.1.7-preview","siteserver-v6.1.8-preview","siteserver-v6.1.9-preview","siteserver-v6.2.0","siteserver-v6.2.10-beta","siteserver-v6.2.11-beta","siteserver-v6.2.12-beta","siteserver-v6.2.13-beta","siteserver-v6.2.14-beta","siteserver-v6.2.15-beta","siteserver-v6.2.17-beta","siteserver-v6.2.18-beta","siteserver-v6.2.19-beta","siteserver-v6.2.20-beta","siteserver-v6.2.6-beta","siteserver-v6.2.7-beta","siteserver-v6.2.8-beta","siteserver-v6.2.9-beta","siteserver-v6.3.0-beta","siteserver-v6.3.1-beta","siteserver-v6.3.10-beta","siteserver-v6.3.11-beta","siteserver-v6.3.12","siteserver-v6.3.14-beta","siteserver-v6.3.16-beta","siteserver-v6.3.17-beta","siteserver-v6.3.18-beta","siteserver-v6.3.19-beta","siteserver-v6.3.2","siteserver-v6.3.20-beta","siteserver-v6.3.24-beta","siteserver-v6.3.25-beta","siteserver-v6.3.26-beta","siteserver-v6.3.31-beta","siteserver-v6.3.32-beta","siteserver-v6.3.33-beta","siteserver-v6.3.34-beta","siteserver-v6.3.35-beta","siteserver-v6.3.36-beta","siteserver-v6.3.9-beta","siteserver-v6.4.0-beta","siteserver-v6.4.1","siteserver-v6.4.10-beta","siteserver-v6.4.11-beta","siteserver-v6.4.12-beta","siteserver-v6.4.13-beta","siteserver-v6.4.14-beta","siteserver-v6.4.15-beta","siteserver-v6.4.3-beta","siteserver-v6.4.4-beta","siteserver-v6.4.5-beta","siteserver-v6.4.6-beta","siteserver-v6.4.7-beta","siteserver-v6.4.8-beta","siteserver-v6.4.9-beta","siteserver-v6.5.0-beta","siteserver-v6.5.1","siteserver-v6.5.13-beta","siteserver-v6.5.14-beta","siteserver-v6.5.16-beta","siteserver-v6.5.17-beta","siteserver-v6.5.18-beta","siteserver-v6.5.19-beta","siteserver-v6.5.2-beta","siteserver-v6.5.21-beta","siteserver-v6.5.22-beta","siteserver-v6.5.23-beta","siteserver-v6.5.24-beta","siteserver-v6.5.3-beta","siteserver-v6.5.4-beta","siteserver-v6.5.5-beta","siteserver-v6.5.6-beta","siteserver-v6.6.0-beta","siteserver-v6.6.1-beta","siteserver-v6.6.10-beta","siteserver-v6.6.11-beta","siteserver-v6.6.12-beta","siteserver-v6.6.13-beta","siteserver-v6.6.14-beta","siteserver-v6.6.15-beta","siteserver-v6.6.17-beta","siteserver-v6.6.18-beta","siteserver-v6.6.19-beta","siteserver-v6.6.2","siteserver-v6.6.20-beta","siteserver-v6.6.21-beta","siteserver-v6.6.22-beta","siteserver-v6.6.23-beta","siteserver-v6.6.24-beta","siteserver-v6.6.25-beta","siteserver-v6.6.26-beta","siteserver-v6.6.27-beta","siteserver-v6.6.3-beta","siteserver-v6.6.30-beta","siteserver-v6.6.31-beta","siteserver-v6.6.32-beta","siteserver-v6.6.33-beta","siteserver-v6.6.34-beta","siteserver-v6.6.35-beta","siteserver-v6.6.36-beta","siteserver-v6.6.37-beta","siteserver-v6.6.38-beta","siteserver-v6.6.39-beta","siteserver-v6.6.4-beta","siteserver-v6.6.40-beta","siteserver-v6.6.41-beta","siteserver-v6.6.5-beta","siteserver-v6.6.6-beta","siteserver-v6.6.7-beta","siteserver-v6.6.8-beta","siteserver-v6.6.9-beta","siteserver-v6.7.0","siteserver-v6.7.1","siteserver-v6.7.10-beta","siteserver-v6.7.11-beta","siteserver-v6.7.12-beta","siteserver-v6.7.13-beta","siteserver-v6.7.14-beta","siteserver-v6.7.15-beta","siteserver-v6.7.17-beta","siteserver-v6.7.2-beta","siteserver-v6.7.3-beta","siteserver-v6.7.4","siteserver-v6.7.5-beta","siteserver-v6.7.6","siteserver-v6.7.8-beta","siteserver-v6.7.9-beta","siteserver-v6.8.0","siteserver-v6.8.1","siteserver-v6.8.3","siteserver-v6.9.0","upload"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11401.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}