fabarea media_upload prima 0.9.0 su TYPO3 UploadFileService.php getUploadedFileList directory traversal

VoceHistoryDiffjsonxmlCTI

In fabarea media_upload stata rilevata una vulnerabilità di livello critico. Da questa vulnerabilità è interessato la funzione getUploadedFileList del file Classes/Service/UploadFileService.php. Attraverso la manipolazione di un input sconosciuto per mezzo di una vulerabilità di classe directory traversal. L'advisory è scaricabile da github.com. Questo punto di criticità è identificato come CVE-2016-15017. L'attuazione dell'attacco deve avvenire localmente. I dettagli tecnici sono conosciuti. È stato dichiarato come non definito. L'aggiornamento alla versione 0.9.0 elimina questa vulnerabilità. L'aggiornamento è scaricabile da github.com. Il bugfix è scaricabile da github.com. Il miglior modo suggerito per attenuare il problema è aggiornamento all'ultima versione. Una possibile soluzione è stata pubblicata prima e non solo dopo la pubblicazione della vulnerabilità.

Campo	10/01/2023 15:09	31/01/2023 08:40	31/01/2023 08:44
vendor	fabarea	fabarea	fabarea
name	media_upload	media_upload	media_upload
platform	TYPO3	TYPO3	TYPO3
file	Classes/Service/UploadFileService.php	Classes/Service/UploadFileService.php	Classes/Service/UploadFileService.php
function	getUploadedFileList	getUploadedFileList	getUploadedFileList
cwe	21 (directory traversal)	21 (directory traversal)	21 (directory traversal)
risk	2	2	2
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
url	https://github.com/fabarea/media_upload/issues/6	https://github.com/fabarea/media_upload/issues/6	https://github.com/fabarea/media_upload/issues/6
name	Upgrade	Upgrade	Upgrade
upgrade_version	0.9.0	0.9.0	0.9.0
upgrade_url	https://github.com/fabarea/media_upload/releases/tag/0.9.0	https://github.com/fabarea/media_upload/releases/tag/0.9.0	https://github.com/fabarea/media_upload/releases/tag/0.9.0
patch_name	b25d42a4981072321c1a363311d8ea2a4ac8763a	b25d42a4981072321c1a363311d8ea2a4ac8763a	b25d42a4981072321c1a363311d8ea2a4ac8763a
patch_url	https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a	https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a	https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a
cve	CVE-2016-15017	CVE-2016-15017	CVE-2016-15017
responsible	VulDB	VulDB	VulDB
date	1673305200 (10/01/2023)	1673305200 (10/01/2023)	1673305200 (10/01/2023)
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	5.2	5.2	5.2
cvss2_vuldb_tempscore	4.5	4.5	4.5
cvss3_vuldb_basescore	5.5	5.5	5.5
cvss3_vuldb_tempscore	5.3	5.3	5.3
cvss3_meta_basescore	5.5	5.5	6.9
cvss3_meta_tempscore	5.3	5.3	6.9
price_0day	$0-$5k	$0-$5k	$0-$5k
identifier		b25d42a4981072321c1a363311d8ea2a4ac8763a	b25d42a4981072321c1a363311d8ea2a4ac8763a
cve_assigned		1673305200 (10/01/2023)	1673305200 (10/01/2023)
cve_nvd_summary		A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.	A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss2_nvd_av			A
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			P
cvss2_nvd_ii			P
cvss2_nvd_ai			P
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss2_nvd_basescore			5.2
cvss3_nvd_basescore			9.8
cvss3_cna_basescore			5.5

◂ Precedente Visione D'insieme Il prossimo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!