CVE-2016-9268 Information

Description

Unrestricted file upload vulnerability in the Blog appearance in the \Install or upgrade manually\ module in Dotclear through 2.10.4 allows remote authenticated super-administrators to execute arbitrary code by uploading a theme file with an zip extension and then accessing it via unspecified vectors.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

http://dev.dotclear.org/2.0/changeset/445e9ff79a1fa81033591761d6a340e219d159b2 http://dev.dotclear.org/2.0/ticket/2214 http://www.securityfocus.com/bid/94246

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.2