CVE-2024-58281

Published: Dec 10, 2025Modified: Dec 19, 2025

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file.

Affected (1)

Products: Dotclear: Dotclear

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dotclear Dotclear	Version 2.29

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (5)

https://git.dotclear.org/explore/repos

Source: disclosure@vulncheck.com

Broken Link

https://github.com/dotclear/dotclear/archive/refs/heads/master.zip

Source: disclosure@vulncheck.com

Product

https://www.exploit-db.com/exploits/52037

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://www.vulncheck.com/advisories/dotclear-remote-code-execution-via-authenticated-file-upload

Source: disclosure@vulncheck.com

Third Party Advisory

https://github.com/dotclear/dotclear/archive/refs/heads/master.zip

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Product

Timeline

No history available yet.