漏洞标题
N/A
漏洞描述信息
Drupal 项目问题跟踪模块5.x-2.x-dev 之前于20080130版本的版本(1)在问题节点上启用Upload模块时,不会限制附加文件的扩展名,这允许远程攻击者上传并执行任意文件;(2)在打包的文件上传功能中接受.html扩展名,这允许远程攻击者上传包含任意网页脚本或HTML的文件。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
drupal project_issue_tracking_module 权限许可和访问控制漏洞
漏洞描述信息
2008年1月30之前的Drupal 5.x-2.x 系列, 5.x-1.2 及5.x-1.x 系列早期版本, 4.7.x-2.6 及 4.7.x-2.x 系列的早期版本, 还有 4.7.x-1.6 及 4.7.x-1.x series系列的早期版本的Project Issue Tracking module 5.x-2.x-dev(1)在上传模块被激活时并不限制附件的扩展名,这会使远程攻击者可以上传和可能执行任意文件;(2)在文件设计范围内的.html文件上传,这会使远程攻击者可以上传包含任意web脚本
CVSS信息
N/A
漏洞类别
授权问题