Vulnerabilities > CVE-2014-3782 - Unspecified vulnerability in Dotclear

CVSS 6.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

dotclear

NVD

Published: 2014-06-11

Updated: 2014-06-12

Summary

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension. Per: http://cwe.mitre.org/data/definitions/184.html "CWE-184: Incomplete Blacklist"

Vulnerable Configurations

Part	Description	Count
Application	Dotclear Dotclear Dotclear 2.6 Dotclear Dotclear 2.6.1 Dotclear Dotclear 1.2.1 Dotclear Dotclear 1.2.2 Dotclear Dotclear 1.2.3 Dotclear Dotclear 1.2.4 Dotclear Dotclear 1.2.5 Dotclear Dotclear 1.2.6 Dotclear Dotclear 1.2.7 Dotclear Dotclear 1.2.8 Dotclear Dotclear 2.0 Dotclear Dotclear 2.0.1 Dotclear Dotclear 2.0.2 Dotclear Dotclear 2.1 Dotclear Dotclear 2.1.1 Dotclear Dotclear 2.1.3 Dotclear Dotclear 2.1.4 Dotclear Dotclear 2.1.5 Dotclear Dotclear 2.1.6 Dotclear Dotclear 2.1.7 Dotclear Dotclear 2.2 Dotclear Dotclear 2.2.1 Dotclear Dotclear 2.2.2 Dotclear Dotclear 2.2.3 Dotclear Dotclear 2.3.0 Dotclear Dotclear 2.3.1 Dotclear Dotclear 2.4 Dotclear Dotclear 2.4.2 Dotclear Dotclear 2.4.3 Dotclear Dotclear 2.4.4 Dotclear Dotclear 2.5.0 Dotclear Dotclear 2.5.1 Dotclear Dotclear 2.5.2 Dotclear Dotclear 2.5.3 Dotclear Dotclear 2.6.2	45

Packetstorm

data source	https://packetstormsecurity.com/files/download/126767/KIS-2014-06.txt
id	PACKETSTORM:126767
last seen	2016-12-05
published	2014-05-22
reporter	EgiX
source	https://packetstormsecurity.com/files/126767/Dotclear-2.6.2-Arbitrary-File-Upload.html
title	Dotclear 2.6.2 Arbitrary File Upload

Summary

Vulnerable Configurations

Packetstorm

References