CVE-2008-0577

Name of the Vulnerable Software and Affected Versions Project Issue Tracking module versions 5.x-2.x-dev before 20080130 Project Issue Tracking module versions 5.x-1.2 and earlier Project Issue Tracking module versions 4.7.x-2.6 and earlier Project Issue Tracking module versions 4.7.x-1.6 and earlier

Description The issue allows remote attackers to upload and possibly execute arbitrary files due to a lack of restriction on the extensions of attached files when the Upload module is enabled for issue nodes. Additionally, it accepts the .html extension within the bundled file-upload functionality, allowing remote attackers to upload files containing arbitrary web script or HTML.

Recommendations For versions 5.x-2.x-dev before 20080130, update to a version after 20080130 to restrict file extensions. For versions 5.x-1.2 and earlier, update to a version later than 5.x-1.2 to restrict file extensions. For versions 4.7.x-2.6 and earlier, update to a version later than 4.7.x-2.6 to restrict file extensions. For versions 4.7.x-1.6 and earlier, update to a version later than 4.7.x-1.6 to restrict file extensions. As a temporary workaround, consider disabling the Upload module for issue nodes until a patch is available.