CVE Vulnerability

CVE-2007-6676

The default configuration of Uber Uploader (UU) 5.3.6 and earlier does not block uploads of (1) .html, (2) .asp, and other possibly dangerous extensions, which allows remote attackers to use these extensions in uploads via (a) uu_file_upload.php, related to uu_file_upload.js and (b) uber_uploader_file.php, related to uber_uploader_file.js, a different issue than CVE-2007-0123. NOTE: the vendor disputes the severity of the issue, noting that it is the administrator's responsibility to "add file extensions that you may or may not want uploaded."

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
http://securityreason.com/securityalert/3519
http://osvdb.org/43535
http://www.securityfocus.com/archive/1/485290/100/100/threaded
http://www.securityfocus.com/archive/1/485235/100/100/threaded
Configurations

Configuration 1

cpe:2.3:a:uber_uploader:uber_uploader:*:*:*:*:*:*:*:*
Information

Published : 2008-01-08 07:46

Updated : 2018-10-15 09:56

NVD link : CVE-2007-6676

Mitre link : CVE-2007-6676

Products Affected
No products.
CWE
CWE-16