Sign-up

ID

VAR-201901-1699


TITLE

File upload vulnerability in Baidu WebUploader component

Trust: 0.6

sources: CNVD: CNVD-2018-26054

DESCRIPTION

WebUploader is a simple modern file uploading component developed by Baidu WebFE (FEX) team. It is mainly based on HTML5 and supplemented by FLASH. A file upload vulnerability exists in the Baidu WebUploader component. This vulnerability is caused by the WebUploader component upload page's lax filtering of file types or file extensions. Attackers can use the vulnerability to upload directly or simply bypass the upload upload script file, execute system commands, and obtain website server permissions.

Trust: 0.6

sources: CNVD: CNVD-2018-26054

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-26054

AFFECTED PRODUCTS

vendor:baidumodel:webuploader componentscope:eqversion:0.1.15

Trust: 0.6

sources: CNVD: CNVD-2018-26054

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2018-26054
value: HIGH

Trust: 0.6

CNVD: CNVD-2018-26054
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2018-26054

PATCH

title:File upload vulnerability in Baidu webuploader componenturl:https://www.cnvd.org.cn/patchinfo/show/145047

Trust: 0.6

sources: CNVD: CNVD-2018-26054

EXTERNAL IDS

db:CNVDid:CNVD-2018-26054

Trust: 0.6

sources: CNVD: CNVD-2018-26054

SOURCES

db:CNVDid:CNVD-2018-26054

LAST UPDATE DATE

2022-05-04T10:08:06.931000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-26054date:2019-09-07T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-26054date:2019-01-03T00:00:00