Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-0577

The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.

Published

2008-02-05T02:00:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	project_issue_tracking_module	4.7	Yes
Application	drupal	project_issue_tracking_module	5.0	Yes

References

http://drupal.org/node/216063 ([email protected])
http://secunia.com/advisories/28731 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/0376/references ([email protected])
http://drupal.org/node/216063 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/28731 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/0376/references (af854a3a-2127-422b-91ae-364da2661108)