Vulnerability Details CVE-2008-4129
Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.1%
CVSS Severity
CVSS v2 Score 4.0
References
- http://gallery.menalto.com/gallery_1.5.9_released
- http://gallery.menalto.com/gallery_2.2.6_released
- http://secunia.com/advisories/31912
- http://secunia.com/advisories/32662
- http://secunia.com/advisories/33144
- http://security.gentoo.org/glsa/glsa-200811-02.xml
- http://www.securityfocus.com/bid/31231
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45228
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html
- http://gallery.menalto.com/gallery_1.5.9_released
- http://gallery.menalto.com/gallery_2.2.6_released
- http://secunia.com/advisories/31912
- http://secunia.com/advisories/32662
- http://secunia.com/advisories/33144
- http://security.gentoo.org/glsa/glsa-200811-02.xml
- http://www.securityfocus.com/bid/31231
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45228
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html
- https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html
Products affected by CVE-2008-4129
-
cpe:2.3:a:gallery:gallery:*
-
cpe:2.3:a:gallery:gallery:2.2.0
-
cpe:2.3:a:gallery:gallery:2.2.1
-
cpe:2.3:a:gallery:gallery:2.2.2
-
cpe:2.3:a:gallery:gallery:2.2.3
-
cpe:2.3:a:gallery:gallery:2.2.4