How severe is CVE-2017-3189?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2017-3189?

This is classified as CWE-434, which is a common weakness in software security.

CVE-2017-3189 - HIGH Severity | CVSS 8.1

Vulnerability Description

The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on the types of files which the bundle contains. This vulnerability combined with the path traversal vulnerability (CVE-2017-3188) can lead to remote command execution with the permissions of the user running the dotCMS application. An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application.

Related Vulnerabilities

CVE-2012-2950

HIGH

CVSS:8.1(High)

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information.

CWE-4342012

CVE-2017-12615

HIGH

CVSS:8.1(High)

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to th...

CWE-4342017

CVE-2017-12617

HIGH

CVSS:8.1(High)

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the De...

CWE-4342017

CVE-2018-12528

HIGH

CVSS:8.1(High)

An issue was discovered on Intex N150 devices. The backup/restore option does not check the file extension uploaded for importing a configuration files backup, which can lead to corrupting the router ...

CWE-4342018

CVE-2021-20104

HIGH

CVSS:8.1(High)

Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php.

CWE-4342021

CVE-2021-27984

HIGH

CVSS:8.1(High)

In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.

CWE-4342021