9.8
CVE-2014-8739
- EPSS 91.55%
- Veröffentlicht 08.02.2020 18:15:11
- Zuletzt bearbeitet 21.11.2024 02:19:40
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginCreative Contact Form < 1.0.0 - Arbitrary File Upload
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
Mögliche Gegenmaßnahme
Creative Contact Form: Update to version 1.0.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Creative Contact Form
Version
[*, 1.0.0)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Creative-solutions ≫ Creative Contact Form SwPlatformwordpress Version < 1.0.0
Creative-solutions ≫ Creative Contact Form SwPlatformjoomla! Version < 2.0.1
Jquery File Upload Project ≫ Jquery File Upload Version6.4.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.55% | 0.997 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.