Vulnerability Description
The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jqueryform | Php Formmail Generator | < 2016-12-17 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96718Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/608591Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/96718Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/608591Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2016-9492?
CVE-2016-9492 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked a...
How severe is CVE-2016-9492?
CVE-2016-9492 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-9492?
Check the references section above for vendor advisories and patch information. Affected products include: Jqueryform Php Formmail Generator.