CVE-2015-4393
Services module 7.x-3.x < 7.x-3.12 - Authenticated Remote Code Execution via Crafted Filename
Title source: llmDescription
The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.drupal.org/node/2471879
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/04/25/6
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74365
Patch x_refsource_confirm
https://www.drupal.org/node/2471847
Scores
EPSS
0.0171
EPSS Percentile
74.7%
Details
CWE
CWE-20
Status
published
Products (11)
services_project/services
7.x-3.0
services_project/services
7.x-3.1
services_project/services
7.x-3.2
services_project/services
7.x-3.3
services_project/services
7.x-3.4
services_project/services
7.x-3.5
services_project/services
7.x-3.6
services_project/services
7.x-3.7
services_project/services
7.x-3.9
services_project/services
7.x-3.10
... and 1 more
Published
Jun 15, 2015
Tracked Since
Feb 18, 2026