CVE-2014-8085

Name of the Vulnerable Software and Affected Versions OSClass versions prior to 3.4.3

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension and then accessing it via a direct request. This is due to an unrestricted file upload vulnerability in the CWebContact::doModel method.

Recommendations For versions prior to 3.4.3, update to version 3.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the contact.php file in the oc-includes/osclass/controller directory to minimize the risk of exploitation. Avoid using the CWebContact::doModel method until the issue is resolved.