Vulnerabilities > CVE-2014-3782 - Unspecified vulnerability in Dotclear
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.
Vulnerable Configurations
Packetstorm
| data source | https://packetstormsecurity.com/files/download/126767/KIS-2014-06.txt |
| id | PACKETSTORM:126767 |
| last seen | 2016-12-05 |
| published | 2014-05-22 |
| reporter | EgiX |
| source | https://packetstormsecurity.com/files/126767/Dotclear-2.6.2-Arbitrary-File-Upload.html |
| title | Dotclear 2.6.2 Arbitrary File Upload |
References
- http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
- http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
- http://karmainsecurity.com/KIS-2014-06
- http://karmainsecurity.com/KIS-2014-06
- http://seclists.org/fulldisclosure/2014/May/108
- http://seclists.org/fulldisclosure/2014/May/108
- http://seclists.org/fulldisclosure/2014/May/116
- http://seclists.org/fulldisclosure/2014/May/116
- http://seclists.org/fulldisclosure/2014/May/122
- http://seclists.org/fulldisclosure/2014/May/122
- http://secunia.com/advisories/58675
- http://secunia.com/advisories/58675