PatchSiren cyber security CVE debrief
CVE-2015-8832 Dotclear CVE debrief
CVE-2015-8832 is a high-severity authenticated remote code execution issue in Dotclear before 2.8.2. The vulnerable upload handling in inc/core/class.dc.core.php used incomplete blacklist filtering, allowing a user with limited management permissions to upload PHP-capable files such as .pht, .phps, or .phtml and execute server-side code.
- Vendor
- Dotclear
- Product
- CVE-2015-8832
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-09
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-09
- Advisory updated
- 2026-05-13
Who should care
Dotclear administrators, hosting providers, and security teams running versions before 2.8.2, especially where low-privilege accounts can manage media items or create/manage entries and comments.
Technical summary
NVD describes multiple incomplete blacklist vulnerabilities in Dotclear's core upload handling. The issue affects authenticated users with "manage their own media items" and "manage their own entries and comments" permissions. Because the file-type blacklist was incomplete, an attacker could upload a web-executable file with a PHP-related extension and obtain arbitrary PHP execution on the server. The NVD record rates the impact as network exploitable with low attack complexity, low privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
Defensive priority
High. This is a remotely reachable, authenticated RCE path with full impact, and the vendor fixed it in Dotclear 2.8.2.
Recommended defensive actions
- Upgrade Dotclear to 2.8.2 or later immediately.
- Review accounts that can manage media items or entries/comments and remove unnecessary privileges.
- Audit uploaded content for unexpected PHP-related file types and investigate any suspicious uploads.
- Verify that web server configuration does not execute user-uploaded files from media or attachment directories.
- Check logs and file listings for signs of abuse around the affected upload workflow.
- Use the supplied vendor release notes and third-party advisories to confirm remediation steps and version boundaries before reopening upload capabilities.
Evidence notes
The debrief is based on the NVD record and the referenced vendor release notes. The supplied NVD metadata states that Dotclear versions through 2.8.1 are vulnerable and that the issue is fixed in 2.8.2. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and the listed weakness is CWE-284. Reference links include the Dotclear 2.8.2 release notes, a vendor patch reference, and third-party advisories that corroborate public disclosure. No KEV listing or ransomware-campaign linkage is present in the supplied corpus.
Official resources
-
CVE-2015-8832 CVE record
CVE.org
-
CVE-2015-8832 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
- Source reference
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
Dotclear fixed the issue in 2.8.2, with vendor release notes dated 2015-10-25 in the supplied references. The CVE record itself was published by NVD on 2017-02-09 and later modified on 2026-05-13; those dates describe record lifecycle, not.