CVE-2011-4106

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
26/10/2013
Last modified:
11/04/2025

Description

TimThumb (timthumb.php) before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache directory, as exploited in the wild in August 2011.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:binarymoon:timthumb:*:*:*:*:*:*:*:* 1.99 (including)