Description

Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.

Remediation

References

CVE-2015-8832

Related Vulnerabilities

WordPress Plugin Contact Form Email Cross-Site Scripting (1.1.47)

PHP Improper Input Validation Vulnerability (CVE-2021-21705)

WordPress Plugin Mailing List 'wpabspath' Parameter Remote File Include (1.3.3)

MySQL CVE-2017-3317 Vulnerability (CVE-2017-3317)

WordPress Plugin Qards Cross-Site Scripting (1.4.3)

Severity

High

Classification

CVE-2015-8832 CWE-284 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities