Vulnerability Note VU#608591
PHP FormMail Generator generates code vulnerable to multiple issues
PHP forms generated using the PHP FormMail Generator are vulnerable to stored cross-site scripting and unrestricted upload of dangerous file types.
PHP FormMail Generator is a website that generates PHP form code for inclusion in a PHP-based or Wordpress-based website. The code generated by the website prior to 17 December 2016 is vulnerable to the following:
CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-9492
An unauthenticated remote attacker may be able to conduct stored XSS attacks against the form administrator, or possibly execute PHP code on the server if the attacker can guess the uploaded filename.
A full solution is not currently known, however users may consider the following.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|PHP FormMail Generator||Affected||16 Dec 2016||21 Dec 2016|
CVSS Metrics (Learn More)
Thanks to Ibram Marzouk for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-9492 CVE-2016-9493
- Date Public: 17 Dec 2016
- Date First Published: 07 Mar 2017
- Date Last Updated: 07 Mar 2017
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.