Skip to main content

Dotclear CVE-2016-7903

LOW
Permissions, Privileges, and Access Controls (CWE-264)
2017-01-04 cve@mitre.org
3.7
CVSS 3.0 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 04, 2017 - 21:59 cve.org
LOW 3.7

DescriptionCVE.org

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.

AnalysisAI

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-264. Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. Affected products include: Dotclear. Version information: before 2.10.3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2015-8832 HIGH POC
8.8 Feb 09

Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authen

CVE-2014-1613 HIGH POC
7.5 May 16

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd coo

CVE-2015-8831 MEDIUM POC
6.1 Feb 09

Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to injec

CVE-2014-3781 MEDIUM POC
5.8 Jun 11

The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass a

CVE-2016-7902 HIGH
8.8 Jan 04

Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authentica

CVE-2012-1039 MEDIUM POC
4.3 Mar 19

Multiple cross-site scripting (XSS) vulnerabilities in Dotclear before 2.4.2 allow remote attackers to inject arbitrary

CVE-2016-9268 HIGH
7.2 Nov 10

Unrestricted file upload vulnerability in the Blog appearance in the "Install or upgrade manually" module in Dotclear th

CVE-2016-6523 MEDIUM
6.1 Dec 09

Multiple cross-site scripting (XSS) vulnerabilities in the media manager in Dotclear before 2.10 allow remote attackers

CVE-2014-3782 MEDIUM
6.0 Jun 11

Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear

CVE-2017-6446 MEDIUM
6.1 Mar 05

XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order paramete

CVE-2024-27626 MEDIUM
6.1 Mar 21

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. Rated medium severity

CVE-2014-3783 MEDIUM
6.0 May 22

SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the

Share

CVE-2016-7903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy