QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2016-9492

Back to search

CVE-2016-9492

Published: Jul 13, 2018

Modified: Aug 6, 2024

PUBLISHED

Description

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

VendorProductVersions

PHP FormMail

Generator

affected
17/12/2016 - < 17/12/2016

Weaknesses (CWE)

CWE-434

References

96718
vdb-entry
x_refsource_BID
VU#608591
third-party-advisory
x_refsource_CERT-VN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now