Lucene search

[email protected]CVE-2008-2742

HistoryJun 17, 2008 - 3:41 p.m.

CVE-2008-2742

2008-06-1715:41:00

CWE-20

[email protected]

web.nvd.nist.gov

cve-2008-2742

achievo

file upload

remote code execution

security vulnerability

nvd

8.5 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.054 Low

EPSS

Percentile

93.1%

JSON

Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) in Achievo 1.2.0 through 1.3.2 allows remote attackers to execute arbitrary code by uploading a file with .php followed by a safe extension, then accessing it via a direct request to the file in the Achievo root directory. NOTE: this is only a vulnerability in environments that support multiple extensions, such as Apache with the mod_mime module enabled.

CPENameOperatorVersion
achievo:achievoachievoeq1.2.0
achievo:achievoachievoeq1.3.2
achievo:achievoachievoeq1.3.1
achievo:achievoachievoeq1.2.1
achievo:achievoachievoeq1.3.0

CPE	Name	Operator	Version
achievo:achievo	achievo	eq	1.2.0
achievo:achievo	achievo	eq	1.3.2
achievo:achievo	achievo	eq	1.3.1
achievo:achievo	achievo	eq	1.2.1
achievo:achievo	achievo	eq	1.3.0

References

secunia.com/advisories/30597

www.achievo.org/blog/archives/631-Achievo-1.3.3-Security-Release.html

www.securityfocus.com/bid/29621

exchange.xforce.ibmcloud.com/vulnerabilities/42980

www.exploit-db.com/exploits/5770

8.5 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.054 Low

EPSS

Percentile

93.1%

JSON

Related for CVE-2008-2742

cvelist1 prion1