Vulnerability Description
The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jqueryform | Php Formmail Generator | < 2016-12-17 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96718Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/608591Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/96718Third Party AdvisoryVDB Entry
- https://www.kb.cert.org/vuls/id/608591Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2016-9493?
CVE-2016-9493 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-co...
How severe is CVE-2016-9493?
CVE-2016-9493 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9493?
Check the references section above for vendor advisories and patch information. Affected products include: Jqueryform Php Formmail Generator.