PT-2014-7222 · Infusionsoft · Infusionsoft Gravity Forms

G0Blin

Published

2014-09-26

Updated

2015-10-01

CVE-2014-6446

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Infusionsoft Gravity Forms plugin versions 1.5.3 through 1.5.10

Description The issue allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to "utilities/code generator.php". This is due to improper access restriction.

Recommendations For versions 1.5.3 through 1.5.10, consider restricting access to the "utilities/code generator.php" endpoint until a patch is available.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2014-6446

Affected Products

Infusionsoft Gravity Forms

PT-2014-7222 · Infusionsoft · Infusionsoft Gravity Forms

CVE-2014-6446

Weakness Enumeration

Related Identifiers

Affected Products

References · 9