Cforms & CformsII <= 14.7 – Remote Code Execution via Unauthorised File Upload | CVE 2014-9473

Affects Plugins

cforms2

Fixed in 14.8

cforms

No known fix

References

CVE

CVE-2014-9473

Exploitdb

35879

URL

https://packetstormsecurity.com/files/#129762/

URL

https://www.securityfocus.com/archive/1/534349/30/0/threaded

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

Miscellaneous

Submitter

pvdl & Bastian Germann

Verified

No

WPVDB ID

35558b4e-84ce-4558-9c0a-2d28ebf6913b

Timeline

Publicly Published

2014-12-30 (about 11 years ago)

Added

2015-01-13 (about 11 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2024-02-26

Title

Slivery Extender <= 1.0.2 - Authenticated(Contributor+) Remote Code Execution via shortcode

Published

2015-09-14

Title

EZ SQL Reports < 4.11.37 - Authenticated Arbitrary Code Execution

Published

2024-11-11

Title

Podlove Podcast Publisher < 4.1.17 - Authenticated (Admin+) Remote Code Execution

Published

2024-11-27

Title

Widget Options < 4.0.8 - Contributor+ Remote Code Execution

Published

2024-10-29

Title

W3SPEEDSTER < 7.27 - Admin+ RCE