PT-2015-5594 · Drupal · Drupal Avatar Uploader

Published

2015-02-26

Updated

2015-02-27

CVE-2015-2087

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Drupal Avatar Uploader module versions prior to 6.x-1.3

Description The issue allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension. This is achieved through the Avatar Uploader module, which does not properly restrict file uploads.

Recommendations For versions prior to 6.x-1.3, update the Avatar Uploader module to version 6.x-1.3 or later to resolve the issue. As a temporary workaround, consider disabling the Avatar Uploader module until a patch is available. Restrict access to the module to minimize the risk of exploitation. Avoid using the module for file uploads until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2015-2087

Affected Products

Drupal Avatar Uploader

PT-2015-5594 · Drupal · Drupal Avatar Uploader

CVE-2015-2087

Related Identifiers

Affected Products

References · 4