CVE-2016-9484
published 2018-07-13CVE-2016-9484: The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path traversal…
PriorityP350high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
4.41%
90.1th percentile
The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path traversal and access arbitrary files on the server. The PHP FormMail Generator website does not use version numbers and is updated continuously. Any PHP form code generated by this website prior to 2016-12-06 may be vulnerable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jqueryform | php_formmail_generator | < 2016-12-06 | 2016-12-06 |
| php_formmail | generator | >= 2016-12-06 < 2016-12-06 | 2016-12-06 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jfh9-jwf2-w35r: The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2016-9483 [HIGH] CWE-502 GHSA-jfh9-jwf2-w35r: The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function
The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.
GHSA
GHSA-r29g-5mgx-4588: The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path tra
ghsa_unreviewed·2022-05-13
CVE-2016-9484 [HIGH] CWE-22 GHSA-r29g-5mgx-4588: The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path tra
The generated PHP form code does not properly validate user input folder directories, allowing a remote unauthenticated attacker to perform a path traversal and access arbitrary files on the server. The PHP FormMail Generator website does not use version numbers and is updated continuously. Any PHP form code generated by this website prior to 2016-12-06 may be vulnerable.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-07-13
Published