Photo Gallery < 1.5.75 - File Upload Path Traversal
CVE-2021-24363

4.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Photo Gallery By 10web – Mobile-friendly Image Gallery
Vendor: CVE Published:; 16 August 2021

Summary

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector

Affected Version(s)

Photo Gallery by 10Web – Mobile-Friendly Image Gallery 1.5.75

References

https://wpscan.com/vulnerability/1628935f-1d7d-4609-b7a9-...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

avolume