CVE-2015-3638

Name of the Vulnerable Software and Affected Versions phpMyBackupPro versions prior to 2.5

Description The issue allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to "scheduled.php", and making requests to injected scripts. Additionally, it is possible to inject PHP into a PHP configuration variable via a PHP variable variable.

Recommendations For versions prior to 2.5, as a temporary workaround, consider restricting access to the "scheduled.php" endpoint and avoid using the path, filename, and period parameters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.