CVE-2014-7237

Name of the Vulnerable Software and Affected Versions TWiki versions 6.0.0 and earlier

Description The issue allows remote attackers to bypass intended access restrictions and upload files with restricted names by using a null byte (%00) in a filename to bin/upload.cgi. This can be exploited to execute arbitrary code, as demonstrated using .htaccess.

Recommendations For TWiki versions 6.0.0 and earlier, consider restricting access to the bin/upload.cgi endpoint until a fix is available. As a temporary workaround, avoid using filenames containing null bytes (%00) to prevent exploitation.