How severe is CVE-2016-9492?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2016-9492?

This is classified as CWE-434, which is a common weakness in software security.

CVE-2016-9492 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

Related Vulnerabilities

CVE-2010-1433

CRITICAL

CVSS:9.8(Critical)

Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to ...

CWE-4342010

CVE-2011-10004

CRITICAL

CVSS:9.8(Critical)

A vulnerability was found in reciply Plugin up to 1.1.7 on WordPress. It has been rated as critical. This issue affects some unknown processing of the file uploadImage.php. The manipulation leads to u...

CWE-4342011

CVE-2011-1134

CRITICAL

CVSS:9.8(Critical)

Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.

CWE-4342011

CVE-2011-4906

CRITICAL

CVSS:9.8(Critical)

Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.

CWE-4342011

CVE-2011-4908

CRITICAL

CVSS:9.8(Critical)

TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.

CWE-4342011

CVE-2012-2226

CRITICAL

CVSS:9.8(Critical)

Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.

CWE-4342012