Security Bulletin. Vulnerability found in Email Marketer v6.0.0 through v6.5.0

Interspire Email Marketer version 6.0.0 to 6.5.0 that have the Surveys addon enabled allows arbitrary file upload via surveys_submit.php “create survey and submit survey” operation, which can cause a .php file to be accessible under a /admin/temp/surveys/ URI.

We recommend that all users of Email Marketer immediately take one of the following corrective actions.

If you are not using the survey functionality of Email Marketer:

  • Disable the survey add on from the addon management screen:
Disable the Surveys Addon
  • Backup and delete the file ~/surveys_submit.php

Or

If you are using the survey functionality of Email Marketer:

  • Download the updated version surveys_submit.php
  • Backup and delete the file ~/surveys_submit.php
  • Unzip the updated version of surveys_submit.php in your installation directory

Or

Update to the latest version of Email Marketer:

If you have an active download link, get and update to the latest version of Email Marketer which at the time of this writing is version 6.5.1.

The CVE number is CVE-2022-40777. Discovered by Nguyen Huy Vinh, Le Nguyen of Viettel Cyber Security

Get a headstart

Discover how
Interspire Email Marketer
can work for you.

Get 85% OFF on all our selected products
Get a Shocking Discount!
Check it out
Get a Shocking Discount!
Get 85% OFF on all our selected products
Check it out
By continuing to browse or by clicking "Accept All Cookies" you agree to the storing of cookies on your device to help our site work well, analyze site usage, and assist in our marketing efforts.
Cookie Policy
Cookie Settings
Accept All Cookies
By continuing to browse or by clicking "Accept All Cookies" you agree to the storing of first and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
Cookie Policy
Cookie Settings
Accept All Cookies