CVE-2014-9619

Опубликовано: 19 сент. 2017

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to execute arbitrary PHP code by uploading a file with a double extension, then accessing it via a direct request to the file in webadmin/deny/images/, as demonstrated by secuid0.php.gif.

Ссылки

http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/37932/
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/133034/Netsweeper-Bypass-XSS-Redirection-SQL-Injection-Execution.html
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/37932/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*

Версия до 3.1.9 (включая)

cpe:2.3:a:netsweeper:netsweeper:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:netsweeper:netsweeper:4.1.1:*:*:*:*:*:*:*

EPSS

Процентиль: 91%

0.06457

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-5872-pq3f-qqmv