cbcvebase.
CVE-2015-6967
published 2015-09-16

CVE-2015-6967: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a…

PriorityP264medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
49.31%
98.7th percentile
Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
nibbleblognibbleblog<= 4.0.4

Detection & IOCsextracted from sources · hover to see the quote

pathcontent/private/plugins/my_image/image.php
filenameimage.php
urladmin.php?controller=plugins&action=config&plugin=my_image
pathcontent/private/plugins/my_image/
  • Detect POST requests to admin.php with query parameters controller=plugins&action=config&plugin=my_image containing a multipart upload of a .php file — this is the exploit upload vector.
  • Detect GET requests to content/private/plugins/my_image/image.php — this path is directly requested to trigger execution of the uploaded PHP payload.
  • The uploaded payload filename is always renamed to image.php by Nibbleblog regardless of the original upload filename; monitor for creation of or access to this file under the my_image plugin directory.
  • Check for the version string 'Nibbleblog 4.0.3 "Coffee"' in HTTP responses to identify vulnerable targets being fingerprinted by attackers.
  • ·Exploitation requires valid administrator credentials; the vulnerability is not unauthenticated. Brute-force or credential stuffing against admin.php may precede the upload.
  • ·The My Image plugin must be installed on the target Nibbleblog instance for the upload endpoint to exist; absence of the plugin will cause the exploit to fail.
  • ·Affected versions are Nibbleblog before 4.0.5; version 4.0.3 is confirmed vulnerable. The fix was introduced in 4.0.5.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.