3 matches found
CVE-2015-2087
CVE-2015-2087: Drupal Avatar Uploader module (6.x-1.x) before 6.x-1.3 has an unrestricted file upload flaw due to inadequate file-extension validation, enabling remote authenticated users to upload a PHP file and execute code via unspecified vectors. The fixed version is Avatar Uploader 6.x-1.3. ...
CVE-2015-2087
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors...
SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution
Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...