6.8
CVE-2011-4106
- EPSS 26.33%
- Veröffentlicht 26.10.2013 16:55:03
- Zuletzt bearbeitet 11.04.2025 00:51:21
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
LoginTimThumb <= 1.33 - Remote File Download
TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.
Mögliche Gegenmaßnahme
Category List Portfolio Page: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Simple Post Thumbnails: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
TimThumb: Update to version 2.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Category List Portfolio Page
Version
*
SystemWordPress Plugin
≫
Produkt
Simple Post Thumbnails
Version
*
SystemWordPress Plugin
≫
Produkt
TimThumb
Version
[*, 2.0)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Binarymoon ≫ Timthumb Version <= 1.99
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 26.33% | 0.961 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.