CVE-2013-0206

Sažetak

Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

Reference

http://drupal.org/node/1883976
http://drupal.org/node/1883978
http://drupalcode.org/project/live_css.git/commitdiff/cb7005f
http://drupalcode.org/project/live_css.git/commitdiff/ef323c8
http://www.openwall.com/lists/oss-security/2013/01/21/5
https://drupal.org/node/1890318

CVSS

Base:	6.0
Impact:	6.4
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

21-03-2013 - 09:26

Objavljeno

19-03-2013 - 14:55