CVE-2018-9205
published 2018-04-04CVE-2018-9205: Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.92%
98.9th percentile
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | avatar_uploader | — | — |
| robbin_zhao | avatar_uploader | >= unspecified < 7.x-1.0-beta8 | 7.x-1.0-beta8 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd↗
- →Look for unauthenticated GET requests to view.php with a 'file' parameter containing path traversal sequences (e.g., '../') targeting the avatar_uploader module path. ↗
- →The vulnerable code directly passes the user-supplied 'file' GET parameter into file_get_contents() with no sanitization or authentication check, enabling arbitrary file read. ↗
- →A successful exploitation response will return HTTP 200 and contain /etc/passwd content matching the pattern 'root:.*:0:0:'. ↗
- →Shodan query 'http.component:"drupal"' can be used to identify potentially exposed Drupal instances for proactive scanning. ↗
- ·The vulnerability exists specifically in the demo component of the module (lib/demo/view.php), which should not be present in production deployments. Verify whether the demo directory is exposed on the target. ↗
- ·Exploitation requires no authentication whatsoever — any unauthenticated remote user can trigger the LFI. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-42m8-gfgc-wg9v: Vulnerability in avatar_uploader v7
ghsa_unreviewed·2022-05-14
CVE-2018-9205 [HIGH] CWE-22 GHSA-42m8-gfgc-wg9v: Vulnerability in avatar_uploader v7
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
VulnCheck
Drupal avatar_uploader Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-9205 [HIGH] Drupal avatar_uploader Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Drupal avatar_uploader Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
Affected: Drupal avatar_uploader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2018-9205; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-14&host_type=src&vulnerability=cve-2018-9205; https://dashboard.shadows
No detection rules found.
Exploit-DB
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
exploitdb·2018-04-23·CVSS 7.5
CVE-2018-9205 [HIGH] Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
---
#Title: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
#Author: Larry W. Cashdollar
#Date: 2018-03-30
#CVE-ID: CVE-2018-9205
#Download Site: https://www.drupal.org/project/avatar_uploader
#Vendor: https://www.drupal.org/u/robbinzhao
#Vendor Notified: 2018-04-02
#Vendor Contact: https://www.drupal.org/project/avatar_uploader/issues/2957966#comment-12554146
#Advisory: http://www.vapidlabs.com/advisory.php?v=202
#Description: This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript. Such as, users' mouse hover on avatar, the edit link will slideup, or others.
#Vulnerability:
#The view.php contains code to retrieve files but no code to
Nuclei
Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-9205 [HIGH] Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files.
Template:
id: CVE-2018-9205
info:
name: Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
author: daffainfo
severity: high
description: In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary files.
impact: |
Unauthenticated attackers can read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, and user data.
remediation: Upgrade to the latest version of avatar_uploader.
reference:
- https://www.exploit-db.com/exploits/44501
- https://nvd.nist.gov/v
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://www.vapidlabs.com/advisory.php?v=202https://www.drupal.org/project/avatar_uploaderhttps://www.drupal.org/project/avatar_uploader/issues/2957966https://www.exploit-db.com/exploits/44501/http://www.vapidlabs.com/advisory.php?v=202https://www.drupal.org/project/avatar_uploaderhttps://www.drupal.org/project/avatar_uploader/issues/2957966https://www.exploit-db.com/exploits/44501/
2018-04-04
Published
Exploited in the wild