Description

There is a vulnerability in the 2.8.5, 2.8.6 downloadable versions of OpenX that can result in a server running the downloaded version of OpenX being compromised. A remote attacker could use this functionality to upload and execute executable files on the system. To test this vulnerability, Acunetix created a file named testing_test on the server. You will need to delete this file.

Remediation

It is recommended to update to OpenX version 2.8.7 or to delete the following file from the OpenX installation [openx_dir]/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

References

CVE-2009-4140

Related Vulnerabilities

WebLogic CVE-2021-1996 Vulnerability (CVE-2021-1996)

PostgreSQL NULL Pointer Dereference Vulnerability (CVE-2016-5423)

reveal.js Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-8127)

OpenSSL Improper Input Validation Vulnerability (CVE-2009-3245)

MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9414)

Severity

High

Classification

CVE-2009-4140 CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Arbitrary File Creation Code Execution Known Vulnerabilities