9.8

CVE-2016-9835

Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.

Data is provided by the National Vulnerability Database (NVD)
ZikulaZikula Application Framework Version1.3.10 Updaterc1
ZikulaZikula Application Framework Version1.4.0 Updaterc1
ZikulaZikula Application Framework Version1.4.0 Updaterc2
ZikulaZikula Application Framework Version1.4.0 Updaterc3
ZikulaZikula Application Framework Version1.4.0 Updaterc4
ZikulaZikula Application Framework Version1.4.0 Updaterc5
ZikulaZikula Application Framework Version1.4.3 Updaterc1
ZikulaZikula Application Framework Version1.4.3 Updaterc2
ZikulaZikula Application Framework Version1.4.3 Updaterc3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 3.91% 0.872
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://www.securityfocus.com/bid/95005
Third Party Advisory
VDB Entry
https://github.com/zikula/core/blob/1.3/CHANGELOG-1.3.md
Patch
Third Party Advisory
Release Notes
Issue Tracking
https://github.com/zikula/core/blob/1.4/CHANGELOG-1.4.md
Patch
Third Party Advisory
Release Notes
Issue Tracking
https://github.com/zikula/core/issues/3237
Patch
Third Party Advisory
Issue Tracking