CVE-2015-7773 - Vulnerability Details - OpenCVE

Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an extension, and then renaming this file to have a .php extension.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bastian Allgeier	Kirby

Configuration 1 [-]

cpe:2.3:a:bastian_allgeier:kirby:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://getkirby.com/changelog/kirby-2-1-2
http://jvn.jp/en/jp/JVN34780384/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2015-11-20T02:00:00

Updated: 2024-08-06T07:58:59.982Z

Reserved: 2015-10-09T00:00:00

Link: CVE-2015-7773

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-11-20T03:59:02.843

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-7773

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an extension, and then renaming this file to have a .php extension."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-11-20T02:57:01", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"name": "JVNDB-2015-000182", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://getkirby.com/changelog/kirby-2-1-2"}, {"name": "JVN#34780384", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN34780384/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2015-7773", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an extension, and then renaming this file to have a .php extension."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "JVNDB-2015-000182", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182"}, {"name": "http://getkirby.com/changelog/kirby-2-1-2", "refsource": "CONFIRM", "url": "http://getkirby.com/changelog/kirby-2-1-2"}, {"name": "JVN#34780384", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN34780384/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:58:59.982Z"}, "title": "CVE Program Container", "references": [{"name": "JVNDB-2015-000182", "tags": ["third-party-advisory", "x_refsource_JVNDB", "x_transferred"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://getkirby.com/changelog/kirby-2-1-2"}, {"name": "JVN#34780384", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN34780384/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2015-7773", "datePublished": "2015-11-20T02:00:00", "dateReserved": "2015-10-09T00:00:00", "dateUpdated": "2024-08-06T07:58:59.982Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bastian_allgeier:kirby:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3CFB45A-E4A1-4A06-B6CB-209E16612991", "versionEndIncluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an extension, and then renaming this file to have a .php extension."}, {"lang": "es", "value": "Vulnerabilidad de carga de archivos sin restricciones en el componente Panel en Bastian Allgeier Kirby en versiones anteriores a 2.1.2 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la subida de un archivo que carece de una extensi\u00f3n, y luego renombrar este archivo para tener una extensi\u00f3n .php."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/434.html\">CWE-434: Unrestricted Upload of File with Dangerous Type</a>", "id": "CVE-2015-7773", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-20T03:59:02.843", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Patch", "Vendor Advisory"], "url": "http://getkirby.com/changelog/kirby-2-1-2"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN34780384/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://getkirby.com/changelog/kirby-2-1-2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://jvn.jp/en/jp/JVN34780384/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000182"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}