The patch for directory traversal (CVE-2017-5480) in b2evolution version 6.8.4-stable has a bypass vulnerability. An attacker can use ..\/ to bypass the filter rule. Then, this attacker can exploit this vulnerability to delete or read any files on the server. It can also be used to determine whether a file exists.
References
Link | Resource |
---|---|
http://b2evolution.net/downloads/6-8-5 | Patch Vendor Advisory |
http://www.securityfocus.com/bid/95700 | Third Party Advisory VDB Entry |
https://github.com/b2evolution/b2evolution/commit/e35f7c195d8c1103d2d981a48cda5ab45ecac48a | Issue Tracking Patch Third Party Advisory |
https://github.com/b2evolution/b2evolution/issues/36 | Issue Tracking Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-01-23T06:49:00
Updated: 2017-01-24T10:57:01
Reserved: 2017-01-19T00:00:00
Link: CVE-2017-5539
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-01-23T07:59:00.500
Modified: 2019-10-03T00:03:26.223
Link: CVE-2017-5539
JSON object: View
Redhat Information
No data.
CWE