CVE-2014-8739 Information

Feb 14, 2021 cve

Description

Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla! allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension then accessing it via a direct request to the file in files/ as exploited in the wild in October 2014.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://osvdb.org/show/osvdb/113669 http://osvdb.org/show/osvdb/113673 http://www.openwall.com/lists/oss-security/2014/11/11/4 http://www.openwall.com/lists/oss-security/2014/11/11/5 http://www.openwall.com/lists/oss-security/2014/11/13/3 https://wordpress.org/plugins/sexy-contact-form/changelog/ https://www.exploit-db.com/exploits/35057/ https://www.exploit-db.com/exploits/36811/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: