CVE-2017-11715

Published: Jul 28, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.

Affected (1)

Products: Metinfo Project: Metinfo

Metinfo Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Metinfo Project Metinfo	Up to 5.3.17

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://lncken.cn/?p=316

Source: cve@mitre.org

ExploitThird Party Advisory

https://lncken.cn/?p=316

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.