Description

Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.

Remediation

References

CVE-2015-8832

Related Vulnerabilities

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2038)

WordPress 4.7.x Prototype Pollution (4.7 - 4.7.22)

YetiForce CRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-2924)

IBM WebSEAL Insertion of Sensitive Information into Log File Vulnerability (CVE-2017-1480)

Oracle Database Server CVE-2015-2629 Vulnerability (CVE-2015-2629)

Severity

High

Classification

CVE-2015-8832 CWE-284 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities