CVE-2014-2664

Опубликовано: 17 окт. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

Ссылки

http://karmainsecurity.com/KIS-2014-04
Third Party Advisory
http://secunia.com/advisories/57315
Third Party Advisory
http://www.securityfocus.com/bid/66506/discuss
Third Party Advisory
VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/92169
Third Party Advisory
VDB Entry
https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4
Third Party Advisory
http://karmainsecurity.com/KIS-2014-04
Third Party Advisory
http://secunia.com/advisories/57315
Third Party Advisory
http://www.securityfocus.com/bid/66506/discuss
Third Party Advisory
VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/92169
Third Party Advisory
VDB Entry
https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*

Версия до 3.7.5 (включая)

EPSS

Процентиль: 91%

0.06855

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-g22p-w64f-m87v