ID

VAR-201110-0216


CVE

CVE-2011-3980


TITLE

TYPO3 Drag Drop Mass Upload Arbitrary File Update Vulnerability

Trust: 0.8

sources: IVD: 90994ef0-2354-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201110-017

DESCRIPTION

Unspecified vulnerability in the Drag Drop Mass Upload (ameos_dragndropupload) extension 2.0.2 and earlier for TYPO3 allows remote attackers to upload arbitrary files via unknown vectors. Typo3 is one of the leading brands of open source content management systems (CMS) and content management frameworks (CMF) based on PHP and MySQL databases and is a powerful open source solution. A remote attacker can update any file with an unknown vector. The issue occurs because the application fails to adequately validate user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible

Trust: 2.61

sources: NVD: CVE-2011-3980 // JVNDB: JVNDB-2011-002338 // CNVD: CNVD-2011-6034 // BID: 49516 // IVD: 90994ef0-2354-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 90994ef0-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6034

AFFECTED PRODUCTS

vendor:jerome schneidermodel:ameos dragndropuploadscope:eqversion:2.0.0

Trust: 1.6

vendor:jerome schneidermodel:ameos dragndropuploadscope:eqversion:2.0.1

Trust: 1.6

vendor:jerome schneidermodel:ameos dragndropuploadscope:lteversion:2.0.2

Trust: 1.0

vendor:jerome schneidermodel:drag drop mass uploadscope:lteversion:extension 2.0.2

Trust: 0.8

vendor:nomodel: - scope: - version: -

Trust: 0.6

vendor:jerome schneidermodel:ameos dragndropuploadscope:eqversion:2.0.2

Trust: 0.6

vendor:typo3model:drag drop mass uploadscope:eqversion:2.0.2

Trust: 0.3

vendor:typo3model:drag drop mass uploadscope:neversion:3.1.1

Trust: 0.3

vendor:typo3model:drag drop mass uploadscope:neversion:3.0

Trust: 0.3

vendor:ameos dragndropuploadmodel: - scope:eqversion:2.0.0

Trust: 0.2

vendor:ameos dragndropuploadmodel: - scope:eqversion:2.0.1

Trust: 0.2

vendor:ameos dragndropuploadmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 90994ef0-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6034 // BID: 49516 // JVNDB: JVNDB-2011-002338 // CNNVD: CNNVD-201110-017 // NVD: CVE-2011-3980

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3980
value: HIGH

Trust: 1.0

NVD: CVE-2011-3980
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2011-6034
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201110-017
value: HIGH

Trust: 0.6

IVD: 90994ef0-2354-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2011-3980
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2011-3980
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2011-6034
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 90994ef0-2354-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 90994ef0-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6034 // JVNDB: JVNDB-2011-002338 // CNNVD: CNNVD-201110-017 // NVD: CVE-2011-3980

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2011-3980

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201109-100 // CNNVD: CNNVD-201110-017

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201109-100

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002338

PATCH

title:TYPO3-EXT-SA-2011-010: A vulnerability in extension Drag Drop Mass Upload (ameos_dragndropupload)url:http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2011-010/

Trust: 0.8

title:TYPO3 Drag Drop Mass Upload Patch for any file update vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/36296

Trust: 0.6

sources: CNVD: CNVD-2011-6034 // JVNDB: JVNDB-2011-002338

EXTERNAL IDS

db:NVDid:CVE-2011-3980

Trust: 3.5

db:BIDid:49516

Trust: 3.1

db:CNVDid:CNVD-2011-6034

Trust: 0.8

db:CNNVDid:CNNVD-201110-017

Trust: 0.8

db:JVNDBid:JVNDB-2011-002338

Trust: 0.8

db:CNNVDid:CNNVD-201109-100

Trust: 0.6

db:XFid:3

Trust: 0.6

db:XFid:69694

Trust: 0.6

db:IVDid:90994EF0-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: 90994ef0-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-6034 // BID: 49516 // JVNDB: JVNDB-2011-002338 // CNNVD: CNNVD-201109-100 // CNNVD: CNNVD-201110-017 // NVD: CVE-2011-3980

REFERENCES

url:http://www.securityfocus.com/bid/49516

Trust: 2.8

url:http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2011-010/

Trust: 1.9

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/69694

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3980

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3980

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/69694

Trust: 0.6

url:http://typo3.com/

Trust: 0.3

url:http://typo3.org/extensions/repository/view/ameos_dragndropupload/3.1.1/

Trust: 0.3

sources: CNVD: CNVD-2011-6034 // BID: 49516 // JVNDB: JVNDB-2011-002338 // CNNVD: CNNVD-201109-100 // CNNVD: CNNVD-201110-017 // NVD: CVE-2011-3980

CREDITS

Oliver Hader

Trust: 0.9

sources: BID: 49516 // CNNVD: CNNVD-201109-100

SOURCES

db:IVDid:90994ef0-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-6034
db:BIDid:49516
db:JVNDBid:JVNDB-2011-002338
db:CNNVDid:CNNVD-201109-100
db:CNNVDid:CNNVD-201110-017
db:NVDid:CVE-2011-3980

LAST UPDATE DATE

2024-08-14T12:15:47.980000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-6034date:2011-10-09T00:00:00
db:BIDid:49516date:2011-10-05T16:00:00
db:JVNDBid:JVNDB-2011-002338date:2011-10-11T00:00:00
db:CNNVDid:CNNVD-201109-100date:2011-09-13T00:00:00
db:CNNVDid:CNNVD-201110-017date:2011-10-09T00:00:00
db:NVDid:CVE-2011-3980date:2017-08-29T01:30:25.770

SOURCES RELEASE DATE

db:IVDid:90994ef0-2354-11e6-abef-000c29c66e3ddate:2011-10-09T00:00:00
db:CNVDid:CNVD-2011-6034date:2011-10-09T00:00:00
db:BIDid:49516date:2011-09-08T00:00:00
db:JVNDBid:JVNDB-2011-002338date:2011-10-11T00:00:00
db:CNNVDid:CNNVD-201109-100date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201110-017date:2011-10-09T00:00:00
db:NVDid:CVE-2011-3980date:2011-10-04T10:55:11.723