CVE-2013-4949 - Vulnerability Details - OpenCVE

Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Machform	Machform

Configuration 1 [-]

cpe:2.3:a:machform:machform:2.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/94802
http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html
http://www.exploit-db.com/exploits/26553
https://exchange.xforce.ibmcloud.com/vulnerabilities/85386

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2013-07-29T23:00:00

Updated: 2024-08-06T16:59:41.056Z

Reserved: 2013-07-29T00:00:00

Link: CVE-2013-4949

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-07-29T23:27:50.033

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-4949

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-02T00:00:00", "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "machform-formmaker-view-file-upload(85386)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85386"}, {"name": "26553", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/26553"}, {"name": "94802", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/94802"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-4949", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "machform-formmaker-view-file-upload(85386)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85386"}, {"name": "26553", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/26553"}, {"name": "94802", "refsource": "OSVDB", "url": "http://osvdb.org/94802"}, {"name": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:59:41.056Z"}, "title": "CVE Program Container", "references": [{"name": "machform-formmaker-view-file-upload(85386)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85386"}, {"name": "26553", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/26553"}, {"name": "94802", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/94802"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-4949", "datePublished": "2013-07-29T23:00:00", "dateReserved": "2013-07-29T00:00:00", "dateUpdated": "2024-08-06T16:59:41.056Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:machform:machform:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0DFC803-BC1F-4279-8B44-D514F493F572", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/."}, {"lang": "es", "value": "Vulnerabilidad de subida de archivo sin restricci\u00f3n en view.php en Machform 2, permite a atacantes remotos ejecutar c\u00f3dgo PHP arbitrario mediante la subida de un archivo PHP y posteriormente realizando un petici\u00f3n hacia este archivo desde el formulario de \"uploads\" en el directorio /data."}], "evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/434.html\r\n\r\n'CWE-434: Unrestricted Upload of File with Dangerous Type'", "id": "CVE-2013-4949", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-07-29T23:27:50.033", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/94802"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/26553"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85386"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/94802"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/122255/Machform-Form-Maker-2-XSS-Shell-Upload-SQL-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/26553"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85386"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}