CVE-2008-5677 Details

CVE-2008-5677

Published: 2008-12-19
Last Modified: 2017-09-29
CVE Author: NIST National Vulnerability Database
CVE Assigner: cve@mitre.org
Summary

Unrestricted file upload vulnerability in Kwalbum 2.0.4, 2.0.2, and earlier, when PICS_PATH is located in the web root, allows remote authenticated users with upload capability to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under items/, related to the ReplaceBadFilenameChars function in include/ItemAdder.php. NOTE: some of these details are obtained from third party information.

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 7.1/10
Exploit Score 3.9/10
Access Vector Network
Access Complexity High
Authentication Single
Impact Score 10/10
Confidentiality Impact Complete
Availability Impact Complete
Integrity Impact Complete
Vector String AV:N/AC:H/Au:S/C:C/I:C/A:C
Common Vulnerability Score System v3.1

NIST has not assigned a CVSSv3.1 Score.

Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:a:kwalbum:kwalbum:0.5.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.2:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.3:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.4:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.6:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.7:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.8:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.9:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.10:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.11:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.5.12:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.4:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.5:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.6:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.7:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.8:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.9:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.10:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.11:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.12:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.13:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.14:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.15:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.6.16:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.7.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.7.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.8.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.9.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.9.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.9.2:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.9.3:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:0.9.4:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:1.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:2.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:2.0.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:*:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:kwalbum:kwalbum:2.0.4:*:*:*:*:*:*:* Yes - -
References

http://secunia.com/advisories/32145
http://securityreason.com/securityalert/4789
http://www.securityfocus.com/bid/31568
https://exchange.xforce.ibmcloud.com/vulnerabilities/45655
https://www.exploit-db.com/exploits/6664

CVE ID
CVE-2008-5677
Published
2008-12-19
Modified
2017-09-29
CVSSv2.0
High
PCI Compliance
Fail
US-CERT Alert
No
CWE
CWE-20

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities.