1. CVE-Search
  2. CVE-2014-2088
ID CVE-2014-2088
Summary Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4.1 allows remote authenticated users to execute arbitrary PHP code by using a .php filename in an upload_files action to the uploadFiles command, and then accessing the .php file via a direct request to a certain client_id pathname. Per: http://cwe.mitre.org/data/definitions/434.html "CWE-434: Unrestricted Upload of File with Dangerous Type"
References
Vulnerable Configurations
  • cpe:2.3:a:ilias:ilias:4.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:ilias:ilias:4.4.1:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 03-03-2014 - 17:24)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
misc http://packetstormsecurity.com/files/125350/ILIAS-4.4.1-Cross-Site-Scripting-Shell-Upload.html
Last major update 03-03-2014 - 17:24
Published 02-03-2014 - 17:55
Last modified 03-03-2014 - 17:24
Back to Top