CVE-2018-9206 - Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

CVE-2018-9206

Summary

Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

References

Vulnerable Configurations

cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:6.4.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:6.4.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.3.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.4.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.5.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.6.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.6.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.6.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.6.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.7.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.7.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.8.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.9.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:8.9.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.2.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.2.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.3.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.3.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.4.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.8:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.5.8:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.6.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.6.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.7.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.8.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.8.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.8.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.8.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.9.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.10.7:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.11.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.4:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.5:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.12.6:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.13.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.13.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.13.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.13.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.14.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.15.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.15.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.16.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.16.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.17.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.17.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.18.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.18.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.1:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.2:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.19.3:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.20.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.20.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.21.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.21.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.22.0:*:*:*:*:*:*:*
cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:9.22.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 11-09-2019 - 19:28)
Impact:
Exploitability:

CWE

CWE-434

CAPEC

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

d2sec via4

name	jQuery File Upload
url	http://www.d2sec.com/exploits/jquery_file_upload.html

refmap via4

bid	105679 106629
confirm	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
exploit-db	45790 46182
misc	http://www.vapidlabs.com/advisory.php?v=204 https://wpvulndb.com/vulnerabilities/9136

Last major update

11-09-2019 - 19:28

Published

11-10-2018 - 15:29

Last modified

11-09-2019 - 19:28