Login Sign Up

CVE-2014-8337

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files with executable extensions to HelpDEZk servers, then execute them by accessing the uploaded files directly. This can lead to complete system compromise. Affects HelpDEZk 1.0.1 and earlier installations.

💻 Affected Systems

Products:
  • HelpDEZk
Versions: 1.0.1 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the uploadify.php component in the includes/classes/uploadify-v2.1.4/ directory.

📦 What is this software?

Helpdezk by Helpdezk

View all CVEs affecting Helpdezk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, and complete control of the affected server.

🟠

Likely Case

Attackers upload web shells or malware to gain persistent access, steal sensitive data, or pivot to other systems.

🟢

If Mitigated

With proper file upload validation and access controls, impact is limited to potential denial of service through file storage exhaustion.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - upload any file with executable extension (like .php) and access it directly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Upgrade to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Restrict file upload extensions

all

Modify uploadify.php to only allow safe file extensions (like .jpg, .png, .pdf) and reject executable extensions.

Edit includes/classes/uploadify-v2.1.4/uploadify.php to add file extension validation

Move upload directory outside web root

all

Change the upload directory to be outside the web-accessible directory tree.

Modify folder parameter to point to directory outside web root

🧯 If You Can't Patch

  • Disable the uploadify.php component entirely if not needed
  • Implement web application firewall rules to block requests to uploadify.php and uploaded executable files

🔍 How to Verify

Check if Vulnerable:

Check if includes/classes/uploadify-v2.1.4/uploadify.php exists and allows uploading files with .php, .exe, or other executable extensions.

Check Version:

Check HelpDEZk version in configuration files or admin interface

Verify Fix Applied:

Attempt to upload a file with .php extension - it should be rejected. Check that uploaded files cannot be accessed via direct URL.

📡 Detection & Monitoring

Log Indicators:

  • File uploads with executable extensions
  • Access to uploaded files with .php, .exe extensions
  • Unusual POST requests to uploadify.php

Network Indicators:

  • POST requests to /includes/classes/uploadify-v2.1.4/uploadify.php
  • GET requests to uploaded files with executable extensions

SIEM Query:

source="web_logs" AND (uri="/includes/classes/uploadify-v2.1.4/uploadify.php" OR uri MATCH "*\.(php|exe|sh|bat)$")

📊 Metadata

CVE ID: CVE-2014-8337
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: January 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-8337, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)