Description

Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.

Remediation

References

CVE-2014-1832

Related Vulnerabilities

ReviveAdserver Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-9407)

TYPO3 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-4321)

WordPress Plugin LearnPress-WordPress LMS Multiple Vulnerabilities (4.1.7.3.2)

WordPress Plugin Real WYSIWYG 'insert_file.php' Arbitrary File Upload (0.0.2)

WordPress Plugin WooCommerce Possible Remote Code Execution (3.4.5)

Severity

Low

Classification

CVE-2014-1832

Tags

Missing Update Known Vulnerabilities