CVE-2020-7246 · CVEKit

cve.orgen

372 chars

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

NVDen

372 chars

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

NVDes

475 chars

Se presenta una vulnerabilidad de ejecución de código remota (RCE) en qdPM versión 9.1 y anteriores. Un atacante puede cargar un archivo de código PHP malicioso por medio de la funcionalidad profile photo, mediante el aprovechamiento de una vulnerabilidad de salto de ruta en la característica delete photo de users['photop_preview'], permitiendo la omisión de la protección .htaccess. NOTA: este problema se presenta debido a una corrección incompleta para el CVE-2015-3884.

CVSS metrics across sources

2

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	6.5	8.0	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
3.1	Primary	NVD	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H