1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
Candidate: CVE-2015-8832
PublicDate: 2017-02-09
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8832
https://hg.dotclear.org/dotclear/rev/198580bc3d80
https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2
http://www.openwall.com/lists/oss-security/2016/03/05/4
Description:
Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php
in Dotclear before 2.8.2 allow remote authenticated users with "manage
their own media items" and "manage their own entries and comments"
permissions to execute arbitrary PHP code by uploading a file with a (1)
.pht, (2) .phps, or (3) .phtml extension.
Ubuntu-Description:
Notes:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815979
Priority: medium
Discovered-by:
Assigned-to:
Patches_dotclear:
upstream: https://hg.dotclear.org/dotclear/rev/198580bc3d80
upstream_dotclear: needs-triage
precise_dotclear: ignored (reached end-of-life)
precise/esm_dotclear: DNE (precise was needs-triage)
trusty_dotclear: needs-triage
vivid/stable-phone-overlay_dotclear: DNE
vivid/ubuntu-core_dotclear: DNE
wily_dotclear: ignored (reached end-of-life)
xenial_dotclear: needed
yakkety_dotclear: DNE
zesty_dotclear: DNE
devel_dotclear: DNE
|