PT-2010-3709 · E107 · E107
Publicado
2010-05-27
·
Atualizado
2010-05-28
·
CVE-2010-2099
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
e107 versions 0.7.20 and earlier
Description
The issue allows remote attackers to execute arbitrary PHP code due to a lack of access control checks for all inputs that could contain the php bbcode tag. This can be demonstrated using the
toEmail method in contact.php, which is related to invocations of the toHTML method.Recommendations
For versions 0.7.20 and earlier, consider disabling the
toHTML method or restricting access to contact.php until a patch is available to prevent the execution of arbitrary PHP code.Exploit
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
E107