Risk | Critical |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2012-6498 |
CWE-ID | CWE-434 |
Exploitation vector | Network |
Public exploit | This vulnerability is being exploited in the wild. |
Vulnerable software Subscribe |
Atomymaxsite Web applications / Other software |
Vendor | Atomymaxsite |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
EUVDB-ID: #VU4202
Risk: Critical
CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2012-6498
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause arbitrary code execution on the original server.
The weakness exists due to improper validation of file extensions in "index.php" script when uploading files. A remote attacker can upload arbitrary file with .php extension and execute it on the system with privileges of the web server.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
Install update from vendor's website.
Atomymaxsite: 1.50 - 2.5
External linkshttp://www.youtube.com/watch?v=CfvTCSS3LGY
http://www.thaicert.or.th/alerts/admin/2012/al2012ad025.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.