CVE-2015-0258Unrestricted File Upload in Collabtive

CWE-434Unrestricted File Upload5 documents4 sources
Severity
8.8HIGHNVD
EPSS
16.5%
top 5.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
O-dyn CollabtiveCanonical Ubuntu LinuxDebian Linux
Timeline
PublishedFeb 17
Latest updateMay 24

Description

Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDo-dyn/collabtive< 2.1
Ubuntuo-dyn/collabtive< 2.0+dfsg-6ubuntu1.1
CVEListV5o-dyn/collabtivebefore 2.1

Also affects: Debian Linux 8.0, Ubuntu Linux 16.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-2hf9-vh2r-j6vp: Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser2022-05-24
OSV
collabtive vulnerability2020-10-19
OSV
CVE-2015-0258: Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser2020-02-17

📋Vendor Advisories

1
Ubuntu
Collabtive vulnerability2020-10-19
CVE-2015-0258 — Unrestricted File Upload in Collabtive | cvebase