CVE-2015-4393

Services module 7.x-3.x < 7.x-3.12 - Authenticated Remote Code Execution via Crafted Filename

Title source: llm
STIX 2.1

Description

The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename.

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.drupal.org/node/2471879
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/04/25/6
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74365
Patch x_refsource_confirm
https://www.drupal.org/node/2471847

Scores

EPSS 0.0171
EPSS Percentile 74.7%

Details

CWE
CWE-20
Status published
Products (11)
services_project/services 7.x-3.0
services_project/services 7.x-3.1
services_project/services 7.x-3.2
services_project/services 7.x-3.3
services_project/services 7.x-3.4
services_project/services 7.x-3.5
services_project/services 7.x-3.6
services_project/services 7.x-3.7
services_project/services 7.x-3.9
services_project/services 7.x-3.10
... and 1 more
Published Jun 15, 2015
Tracked Since Feb 18, 2026