7.5

CVE-2016-6565

NextGen Gallery <= 2.1.56 - Remote File Inclusion

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration).
Mögliche Gegenmaßnahme
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery: Update to version 2.1.57, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Version *-2.1.56
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ImagelyNextgen Gallery SwPlatformwordpress Version < 2.1.57
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.52% 0.808
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6 6.8 6.4
AV:N/AC:M/Au:S/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://www.kb.cert.org/vuls/id/346175
Third Party Advisory
US Government Resource
https://www.securityfocus.com/bid/94356/
Third Party Advisory
VDB Entry