CVE-2012-2670

EPSS 0.69%
Veröffentlicht 17.06.2012 03:41:41
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

manageuser.php in Collabtive before 0.7.6 allows remote authenticated users, and possibly unauthenticated attackers, to bypass intended access restrictions and upload and execute arbitrary files by uploading an avatar file with an accepted Content-Type such as image/jpeg, then accessing it via a direct request to the file in files/standard/avatar.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

O-dyn ≫ Collabtive Version <= 0.7.5

O-dyn ≫ Collabtive Version0.6.4

O-dyn ≫ Collabtive Version0.6.5

O-dyn ≫ Collabtive Version0.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.69%	0.694

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://archives.neohapsis.com/archives/bugtraq/2012-06/0007.html

http://www.collabtive.o-dyn.de/blog/?p=426

http://www.openwall.com/lists/oss-security/2012/06/06/6

http://www.openwall.com/lists/oss-security/2012/06/06/9

http://www.securityfocus.com/archive/1/522973/30/0/threaded

http://www.securityfocus.com/bid/53813

http://xync.org/2012/06/04/Arbitrary-File-Upload-in-Collabtive.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/76101

https://nvd.nist.gov/vuln/detail/CVE-2012-2670

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2012-2670

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2012-2670

EUVD