Summary
Quick Poll is prone to a local file-include vulnerability and an arbitrary-file- deletion vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit a local file-include vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer
other attacks are
also possible.
Attackers can exploit arbitrary-file deletion vulnerability with directory- traversal strings ('../') to delete arbitrary files this may aid in
launching further attacks.
Versions prior to Quick Poll 1.0.2 are vulnerable.
Solution
Vendor patch is available. Please see the reference for details.
References
Severity
Classification
-
CVE CVE-2011-1099 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:P/I:N/A:P
Related Vulnerabilities
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Tomcat NIO Connector Denial of Service Vulnerability
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
- Apache Archiva Home Page Cross-Site Scripting vulnerability