Show plain JSON{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*", "matchCriteriaId": "63C25622-F79A-48DC-A55A-2D17B29A0DAA", "versionEndExcluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:dedecms:dedecms:5.7:-:*:*:*:*:*:*", "matchCriteriaId": "787DA248-344B-42CB-95C4-D664BCE46208", "vulnerable": true}, {"criteria": "cpe:2.3:a:dedecms:dedecms:5.7:sp1:*:*:*:*:*:*", "matchCriteriaId": "25EDFC1F-1C18-4B7A-A1DC-91C55297360A", "vulnerable": true}, {"criteria": "cpe:2.3:a:dedecms:dedecms:5.7:sp2:*:*:*:*:*:*", "matchCriteriaId": "EA222D65-E618-44BA-AD1B-DB4288876E1D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as \"1.jpg.php\" (because input validation only checks that .jpg, .png, or .gif is present as a substring, and does not otherwise check the file name or content)."}, {"lang": "es", "value": "DedeCMS, hasta la versi\u00f3n V5.7SP2, permite la subida de archivos arbitrarios en dede/album_edit.php o dede/album_add.php, tal y como queda demostrado con una petici\u00f3n dede/album_edit.php?dopost=saveformzip=1 con un archivo ZIP que contiene un archivo como \"1.jpg.php\" (debido a que la validaci\u00f3n de entradas solo comprueba que est\u00e9 presente .jpg, .png, o .gif como subcadena y no comprueba el nombre de archivo o el contenido)."}], "id": "CVE-2019-8362", "lastModified": "2024-11-21T04:49:45.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-16T22:29:00.380", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://tusk1.cn/2019/02/16/dedecms%20v5.7%20sp2%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://tusk1.cn/2019/02/16/dedecms%20v5.7%20sp2%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]} 
MITRE
Vulnrichment
NVD
Redhat