Vulnerability Details : CVE-2014-3782
Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.
Products affected by CVE-2014-3782
- cpe:2.3:a:dotclear:dotclear:*:*:*:*:*:*:*:*
- cpe:2.3:a:dotclear:dotclear:2.6:-:*:*:*:*:*:*
- cpe:2.3:a:dotclear:dotclear:2.6:rc:*:*:*:*:*:*
- cpe:2.3:a:dotclear:dotclear:2.6.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3782
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3782
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
References for CVE-2014-3782
-
http://seclists.org/fulldisclosure/2014/May/108
Full Disclosure: [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
-
http://seclists.org/fulldisclosure/2014/May/122
Full Disclosure: Re: [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
-
http://karmainsecurity.com/KIS-2014-06
Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability | Karma(In)Security
-
http://seclists.org/fulldisclosure/2014/May/116
Full Disclosure: Re: [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability
-
http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
Dotclear 2.6.3 › Dotclear News › Dotclear › Blog management made easyVendor Advisory
Jump to