CVE-2014-3782

Severity

60%

Complexity

68%

Confidentiality

106%

Per: http://cwe.mitre.org/data/definitions/184.html "CWE-184: Incomplete Blacklist"

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.

Per: http://cwe.mitre.org/data/definitions/184.html "CWE-184: Incomplete Blacklist"

CVSS 2.0 Base Score 6. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P).

Overview

First reported 10 years ago

2014-06-11 14:55:00

Last updated 10 years ago

2014-06-12 16:04:00

Affected Software

DotClear 2.6

2.6

DotClear 2.6 release candidate

2.6

DotClear 2.6.1

2.6.1

References

http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3

Vendor Advisory

http://karmainsecurity.com/KIS-2014-06

20140521 [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability

20140522 Re: [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability

20140523 Re: [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability

58675

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.