Vulnerability Details : CVE-2016-9835
Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.
Vulnerability category: Directory traversal
Products affected by CVE-2016-9835
- cpe:2.3:a:zikula:zikula_application_framework:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.3:rc3:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.4.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:zikula:zikula_application_framework:1.3.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9835
3.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9835
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-9835
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9835
-
https://github.com/zikula/core/blob/1.4/CHANGELOG-1.4.md
core/CHANGELOG-1.4.md at 1.4 · zikula/core · GitHubIssue Tracking;Patch;Release Notes;Third Party Advisory
-
http://www.securityfocus.com/bid/95005
Zikula CVE-2016-9835 Directory Traversal VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/zikula/core/issues/3237
"jcss.php" file read vulnerability (windows environment) · Issue #3237 · zikula/core · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/zikula/core/blob/1.3/CHANGELOG-1.3.md
core/CHANGELOG-1.3.md at 1.3 · zikula/core · GitHubIssue Tracking;Patch;Release Notes;Third Party Advisory
Jump to