exploitDog

CVE-2017-11178

Опубликовано: 12 июл. 2017

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not checked.

Ссылки

http://www.yuesec.com/img/cccccve/finecms_writefile/finecmswritefile_2017_07_011_subm1t.html
Exploit
Third Party Advisory
http://www.yuesec.com/img/cccccve/finecms_writefile/finecmswritefile_2017_07_011_subm1t.html
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:finecms_project:finecms:*:*:*:*:*:*:*:*

Версия до 2017-05-12 (включая)

EPSS

Процентиль: 31%

0.00117

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-345

Связанные уязвимости

GHSA-4hq9-2883-h256

CVSS3: 7.5

github

больше 3 лет назад

In FineCMS through 2017-07-11, application/core/controller/style.php allows remote attackers to write to arbitrary files via the contents and filename parameters in a route=style action. For example, this can be used to overwrite a .php file because the file extension is not checked.

EPSS

Процентиль: 31%

0.00117

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-345