CVE-2014-8739 – blueimp/jquery-file-upload

Package

Manager: composer
Name: blueimp/jquery-file-upload
Vulnerable Version: =6.4.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.78939 pctl0.99027

Details

jQuery File Upload Plugin Unrestricted file upload vulnerability Unrestricted file upload vulnerability in `server/php/UploadHandler.php` in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in `files/`, as exploited in the wild in October 2014.

Metadata

Created: 2022-05-17T19:57:26Z
Modified: 2024-04-25T20:34:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wxg6-f773-g2f7/GHSA-wxg6-f773-g2f7.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-wxg6-f773-g2f7
Finding: F027
Auto approve: 1