vendor:
PhpVibe
by:
Esac
7,5
CVSS
HIGH
Remote Arbitrary File Upload Vuln
434
CWE
Product Name: PhpVibe
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013
PhpVibe 3.1 – Multiple Vulnerabilites
A vulnerability exists in the upload.php file of PhpVibe, which allows an authenticated user to upload malicious files with double extensions such as .php.mp3, .php.mp4, and .php.flv. This allows an attacker to upload malicious files to the uploads folder and execute them.
Mitigation:
Ensure that the upload.php file is configured to only accept certain file types and to reject files with double extensions.
