CVE-2020-8866
php-horde-form - security update
6.5
MEDIUM
CVSS 3.1
EPSS 3.5%
描述
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
如何修補 CVE-2020-8866
要修補 CVE-2020-8866,請將受影響套件升級到下列已修補版本。
- —升級至 2.0.20-1 或更新版本
- —升級至 2.0.8-2+deb8u2 或更新版本
CVE-2020-8866 正在被利用嗎?
低 — EPSS 為 3.5%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 2.0.20-1
- from 0, < 2.0.8-2+deb8u2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |