CVE-2015-3884

Опубликовано: 17 мар. 2017

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Высокий

Описание

Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/.

Ссылки

http://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.html
Exploit
Third Party Advisory
VDB Entry
http://rossmarks.uk/portfolio.php
Third Party Advisory
http://rossmarks.uk/whitepapers/qdPM_8.3.txt
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.html
Exploit
Third Party Advisory
VDB Entry
http://rossmarks.uk/portfolio.php
Third Party Advisory
http://rossmarks.uk/whitepapers/qdPM_8.3.txt
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:qdpm:qdpm:*:*:*:*:*:*:*:*

Версия до 9.1 (включая)

EPSS

Процентиль: 99%

0.7292

Высокий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-v3rx-h663-g7gx

CVSS3: 9.8

github

больше 3 лет назад