[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

249461

 
 

909

 
 

195508

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2014-2044Date: (C)2014-10-07   (M)2023-12-22


Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 7.5
Exploit Score: 10.0
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
OSVDB-104082
http://www.securityfocus.com/archive/1/531365/100/0/threaded
EXPLOIT-DB-32162
SECUNIA-57267
BID-66000
http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/
owncloud-upload-file-upload(91757)

CPE    35
cpe:/a:owncloud:owncloud:4.0.12
cpe:/a:owncloud:owncloud:4.0.0
cpe:/a:owncloud:owncloud:4.0.11
cpe:/a:owncloud:owncloud:4.0.1
...
CWE    1
CWE-94

© SecPod Technologies