MEDIUM🇵🇱 Wersja polska

CVE-2016-9493

CVSS 6.1v3.0pub. 2018-07-13upd. 2024-11-21

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Jqueryform PHP Formmail Generator

    APP
    Jqueryform
    < 2016-12-17
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2016-9482CRITICAL9.8ten sam produkt

Code generated by PHP FormMail Generator may allow a remote unauthenticated user to bypass authentication in t...

CVE-2016-9483CRITICAL9.8ten sam produkt

The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filma...

CVE-2016-9492CRITICAL9.8ten sam produkt

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of...

CVE-2016-9484HIGH7.5ten sam produkt

The generated PHP form code does not properly validate user input folder directories, allowing a remote unauth...

CVE-2022-24984CRITICAL9.8ten sam vendor

Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauth...