Description

The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.

Remediation

References

CVE-2012-5653

Related Vulnerabilities

WordPress Plugin Dynamic Content for Elementor Remote Code Execution (1.9.5.6)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7872)

WordPress Plugin Animate It! Cross-Site Scripting (2.3.4)

Moodle Improper Access Control Vulnerability (CVE-2016-3729)

WordPress Plugin WP Job Manager Privilege Escalation (1.34.4)

Severity

Medium

Classification

CVE-2012-5653 CWE-20

Tags

Missing Update Known Vulnerabilities