Vulnerability Description
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.mpbuilder_step2.php.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitrix | Mpbuilder | <= 1.0.11 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/134766/bitrix.mpbuilder-Bitrix-1.0.10-LocalExploit
- http://www.securityfocus.com/archive/1/537067/100/0/threaded
- https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/#tab-log-link
- https://www.exploit-db.com/exploits/38975/
- https://www.htbridge.com/advisory/HTB23281Exploit
- http://packetstormsecurity.com/files/134766/bitrix.mpbuilder-Bitrix-1.0.10-LocalExploit
- http://www.securityfocus.com/archive/1/537067/100/0/threaded
- https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/#tab-log-link
- https://www.exploit-db.com/exploits/38975/
- https://www.htbridge.com/advisory/HTB23281Exploit
FAQ
What is CVE-2015-8358?
CVE-2015-8358 is a vulnerability with a CVSS score of 9.0 (HIGH). Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element na...
How severe is CVE-2015-8358?
CVE-2015-8358 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8358?
Check the references section above for vendor advisories and patch information. Affected products include: Bitrix Mpbuilder.