Vulnerabilities > CVE-2014-3782 - Unspecified vulnerability in Dotclear

047910
CVSS 6.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
dotclear

Summary

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension. Per: http://cwe.mitre.org/data/definitions/184.html "CWE-184: Incomplete Blacklist"

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/126767/KIS-2014-06.txt
idPACKETSTORM:126767
last seen2016-12-05
published2014-05-22
reporterEgiX
sourcehttps://packetstormsecurity.com/files/126767/Dotclear-2.6.2-Arbitrary-File-Upload.html
titleDotclear 2.6.2 Arbitrary File Upload