Unrestricted file upload vulnerability in Kwalbum 2.0.4, 2.0.2, and previous versions, when PICS_PATH is located in the web root, allows remote authenticated users with upload capability to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under items/, related to the ReplaceBadFilenameChars function in include/ItemAdder.php. NOTE: some of these details are obtained from third party information.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
kwalbum kwalbum 0.9.3 |
||
kwalbum kwalbum 0.9.2 |
||
kwalbum kwalbum 0.6.15 |
||
kwalbum kwalbum 0.6.14 |
||
kwalbum kwalbum 0.6.7 |
||
kwalbum kwalbum 0.6.6 |
||
kwalbum kwalbum 0.5.9 |
||
kwalbum kwalbum 0.5.8 |
||
kwalbum kwalbum 2.0.1 |
||
kwalbum kwalbum 2.0 |
||
kwalbum kwalbum 0.8.0 |
||
kwalbum kwalbum 0.7.1 |
||
kwalbum kwalbum 0.6.11 |
||
kwalbum kwalbum 0.6.10 |
||
kwalbum kwalbum 0.6.0 |
||
kwalbum kwalbum 0.5.12 |
||
kwalbum kwalbum 0.5.4 |
||
kwalbum kwalbum 0.5.3 |
||
kwalbum kwalbum 2.0.4 |
||
kwalbum kwalbum |
||
kwalbum kwalbum 0.9.1 |
||
kwalbum kwalbum 0.9.0 |
||
kwalbum kwalbum 0.6.13 |
||
kwalbum kwalbum 0.6.12 |
||
kwalbum kwalbum 0.6.5 |
||
kwalbum kwalbum 0.6.4 |
||
kwalbum kwalbum 0.6.1 |
||
kwalbum kwalbum 0.5.7 |
||
kwalbum kwalbum 0.5.6 |
||
kwalbum kwalbum 1.0 |
||
kwalbum kwalbum 0.9.4 |
||
kwalbum kwalbum 0.7.0 |
||
kwalbum kwalbum 0.6.16 |
||
kwalbum kwalbum 0.6.9 |
||
kwalbum kwalbum 0.6.8 |
||
kwalbum kwalbum 0.5.11 |
||
kwalbum kwalbum 0.5.10 |
||
kwalbum kwalbum 0.5.2 |
||
kwalbum kwalbum 0.5.1 |
Vulmon