CVE-2016-15017

A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a	Patch Third Party Advisory
https://vuldb.com/?ctiid.217786	Third Party Advisory
https://github.com/fabarea/media_upload/releases/tag/0.9.0	Third Party Advisory
https://vuldb.com/?id.217786	Third Party Advisory
https://github.com/fabarea/media_upload/issues/6	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:ecodev:media_upload:*:*:*:*:*:typo3:*:*

Information

Published : 2023-01-10 07:15

Updated : 2023-01-14 13:45

NVD link : CVE-2016-15017

Mitre link : CVE-2016-15017

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Advertisement

Products Affected

ecodev

media_upload

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a", "name": "https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://vuldb.com/?ctiid.217786", "name": "https://vuldb.com/?ctiid.217786", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/fabarea/media_upload/releases/tag/0.9.0", "name": "https://github.com/fabarea/media_upload/releases/tag/0.9.0", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://vuldb.com/?id.217786", "name": "https://vuldb.com/?id.217786", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/fabarea/media_upload/issues/6", "name": "https://github.com/fabarea/media_upload/issues/6", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-15017", "ASSIGNER": "cna@vuldb.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2023-01-10T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ecodev:media_upload:*:*:*:*:*:typo3:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.9.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-01-14T21:45Z"}