Back to search
CVE-2011-1584
Published: Jun 8, 2011
Modified: Sep 17, 2024
PUBLISHED
Description
The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of these details are obtained from third party information.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20110413 CVE request: dotclear before 2.2.3
mailing-list
x_refsource_MLIST
[oss-security] 20110415 Re: CVE request: dotclear before 2.2.3
mailing-list
x_refsource_MLIST
[oss-security] 20110415 Re: CVE request: dotclear before 2.2.3
mailing-list
x_refsource_MLIST
http://fr.dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3
x_refsource_CONFIRM
http://dotclear.org/blog/post/2011/04/01/Dotclear-2.2.3
x_refsource_CONFIRM
http://www.arcabit.com/english/home/a-flaw-in-dotclear
x_refsource_MISC
http://dev.dotclear.org/2.0/changeset/2:3427
x_refsource_MISC
44049
third-party-advisory
x_refsource_SECUNIA
[oss-security] 20110414 Re: CVE request: dotclear before 2.2.3
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now