7.5

CVE-2016-6565

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 may execute code from an uploaded malicious file

NextGen Gallery <= 2.1.56 - Remote File Inclusion

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration).
Mögliche Gegenmaßnahme
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery: Update to version 2.1.57, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ImagelyNextgen Gallery SwPlatformwordpress Version < 2.1.57
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Version *-2.1.56
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.54% 0.829
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6 6.8 6.4
AV:N/AC:M/Au:S/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://www.kb.cert.org/vuls/id/346175
Third Party Advisory
US Government Resource
https://www.securityfocus.com/bid/94356/
Third Party Advisory
VDB Entry
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0de8ff3-ac03-4640-829d-66a8496aa8aa
Third Party Advisory