Vulnerability Description
The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Project Issue Tracking Module | 4.7 |
Related Weaknesses (CWE)
References
- http://drupal.org/node/216063
- http://secunia.com/advisories/28731Vendor Advisory
- http://www.vupen.com/english/advisories/2008/0376/references
- http://drupal.org/node/216063
- http://secunia.com/advisories/28731Vendor Advisory
- http://www.vupen.com/english/advisories/2008/0376/references
FAQ
What is CVE-2008-0577?
CVE-2008-0577 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier...
How severe is CVE-2008-0577?
CVE-2008-0577 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-0577?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Project Issue Tracking Module.