Vulnerabilities > CVE-2013-4898 - Unspecified vulnerability in Webhive Timeline 4.2.5

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
webhive
socialengine
exploit available

Summary

Unrestricted file upload vulnerability in the user profile page feature in the Timeline Plugin 4.2.5p9 for SocialEngine allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in public/temporary/timeline/. Per: http://cwe.mitre.org/data/definitions/434.html "CWE-434: Unrestricted Upload of File with Dangerous Type"

Vulnerable Configurations

Part Description Count
Application
Webhive
1
Application
Socialengine
1

Exploit-Db

descriptionSocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload. CVE-2013-4898. Webapps exploit for php platform
fileexploits/php/webapps/27272.txt
idEDB-ID:27272
last seen2016-02-03
modified2013-08-02
platformphp
port
published2013-08-02
reporterspyk2r
sourcehttps://www.exploit-db.com/download/27272/
titleSocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/122702/socialengine45-shell.txt
idPACKETSTORM:122702
last seen2016-12-05
published2013-08-07
reporterWesley Henrique Leite
sourcehttps://packetstormsecurity.com/files/122702/SocialEngine-4.5-Shell-Upload.html
titleSocialEngine 4.5 Shell Upload