Candidate: CVE-2015-8832
PublicDate: 2017-02-09 15:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8832
 https://hg.dotclear.org/dotclear/rev/198580bc3d80
 https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2
 http://www.openwall.com/lists/oss-security/2016/03/05/4
Description:
 Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php
 in Dotclear before 2.8.2 allow remote authenticated users with "manage
 their own media items" and "manage their own entries and comments"
 permissions to execute arbitrary PHP code by uploading a file with a (1)
 .pht, (2) .phps, or (3) .phtml extension.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815979
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_dotclear:
 upstream: https://hg.dotclear.org/dotclear/rev/198580bc3d80
upstream_dotclear: released (2.8.2)
precise_dotclear: ignored (reached end-of-life)
precise/esm_dotclear: DNE (precise was needs-triage)
trusty_dotclear: ignored (reached end-of-life)
trusty/esm_dotclear: DNE (trusty was needed)
vivid/stable-phone-overlay_dotclear: DNE
vivid/ubuntu-core_dotclear: DNE
wily_dotclear: ignored (reached end-of-life)
xenial_dotclear: ignored (end of standard support, was needed)
yakkety_dotclear: DNE
zesty_dotclear: DNE
artful_dotclear: DNE
bionic_dotclear: DNE
cosmic_dotclear: DNE
disco_dotclear: DNE
eoan_dotclear: DNE
focal_dotclear: DNE
groovy_dotclear: DNE
hirsute_dotclear: DNE
impish_dotclear: DNE
jammy_dotclear: DNE
devel_dotclear: DNE