PT-2018-18911 · Drupal · Avatar Uploader
Larry W. Cashdollar
·
Published
2018-04-04
·
Updated
2018-05-21
·
CVE-2018-9205
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
avatar uploader version 7.x-1.0-beta8
Description
The issue arises from the code in view.php, which fails to verify users and sanitize the file path, potentially leading to unauthorized access or malicious file uploads.
Recommendations
For avatar uploader version 7.x-1.0-beta8, consider implementing user verification and sanitizing file paths in the view.php code to prevent exploitation. As a temporary workaround, restrict access to the view.php file until a proper fix is applied.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avatar Uploader