CVE-2009-2265

high

Description

Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.

References

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.html

https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.html

http://www.vupen.com/english/advisories/2009/1825

http://www.vupen.com/english/advisories/2009/1813

http://www.securitytracker.com/id?1022513

http://www.securityfocus.com/archive/1/504721/100/0/threaded

http://www.ocert.org/advisories/ocert-2009-007.html

http://www.debian.org/security/2009/dsa-1836

http://sourceforge.net/project/shownotes.php?release_id=695430

http://secunia.com/advisories/35909

http://secunia.com/advisories/35833

http://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.html

http://mail.zope.org/pipermail/zope-dev/2009-July/037195.html

http://isc.sans.org/diary.html?storyid=6724

Details

Source: Mitre, NVD

Published: 2009-07-05

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Severity: High