CVE-2014-3782

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
dotcleardotclear
𝑥
≤ 2.6.2
dotcleardotclear
2.6
dotcleardotclear
2.6:rc
dotcleardotclear
2.6.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dotclear
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
not-affected
wily
ignored
vivid
ignored
utopic
ignored
trusty
dne
saucy
ignored
precise
ignored
lucid
dne
References
http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
http://karmainsecurity.com/KIS-2014-06
http://seclists.org/fulldisclosure/2014/May/108
http://seclists.org/fulldisclosure/2014/May/116
http://seclists.org/fulldisclosure/2014/May/122
http://secunia.com/advisories/58675
http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3
http://karmainsecurity.com/KIS-2014-06
http://seclists.org/fulldisclosure/2014/May/108
http://seclists.org/fulldisclosure/2014/May/116
http://seclists.org/fulldisclosure/2014/May/122
http://secunia.com/advisories/58675