// For flags

CVE-2007-1604

W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.

Múltiples vulnerabilidades de promoción de ficheros no restringida en w-Agora (Web-Agora) permiten a atacantes remotos promocionar y ejecutar código PHP de su elección (1) mediante un mensaje de foro con un fichero adjunto, que se almacena bajo forums/hello/hello/notes/ ó (2) usando browse_avatar.php para promocionar un fichero con doble extensión, como se demuestra con .php.jpg.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-03-20 First Exploit
  • 2007-03-22 CVE Reserved
  • 2007-03-22 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
W-agora
Search vendor "W-agora"
 W-agora
Search vendor "W-agora" for product "W-agora"
 4.2.1
Search vendor "W-agora" for product "W-agora" and version "4.2.1"
-
Affected