Vulnerability Details CVE-2015-4393
The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 78.6%
CVSS Severity
CVSS v2 Score 6.0
References
- http://www.openwall.com/lists/oss-security/2015/04/25/6
- http://www.securityfocus.com/bid/74365
- https://www.drupal.org/node/2471847
- https://www.drupal.org/node/2471879
- http://www.openwall.com/lists/oss-security/2015/04/25/6
- http://www.securityfocus.com/bid/74365
- https://www.drupal.org/node/2471847
- https://www.drupal.org/node/2471879
Products affected by CVE-2015-4393
-
cpe:2.3:a:services_project:services:7.x-3.0
-
cpe:2.3:a:services_project:services:7.x-3.1
-
cpe:2.3:a:services_project:services:7.x-3.10
-
cpe:2.3:a:services_project:services:7.x-3.11
-
cpe:2.3:a:services_project:services:7.x-3.2
-
cpe:2.3:a:services_project:services:7.x-3.3
-
cpe:2.3:a:services_project:services:7.x-3.4
-
cpe:2.3:a:services_project:services:7.x-3.5
-
cpe:2.3:a:services_project:services:7.x-3.6
-
cpe:2.3:a:services_project:services:7.x-3.7
-
cpe:2.3:a:services_project:services:7.x-3.9