CVE-2015-0258
Publication date 17 February 2020
Last updated 25 August 2025
Ubuntu priority
Description
Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| collabtive | 20.04 LTS focal | Not in release |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Fixed 2.0+dfsg-6ubuntu1.1
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4590-1
- Collabtive vulnerability
- 19 October 2020