CVE-2014-2664 Information

Description

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension then accessing it via a direct request to the file in an unspecified directory.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://karmainsecurity.com/KIS-2014-04 http://secunia.com/advisories/57315 http://www.securityfocus.com/bid/66506/discuss https://exchange.xforce.ibmcloud.com/vulnerabilities/92169 https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8