PT-2018-13643 · Nibbleblog · Nibbleblog
Publicado
2018-09-06
·
Atualizado
2018-11-14
·
CVE-2018-16604
CVSS v3.1
7.2
Alta
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nibbleblog version 4.0.5
Description
An issue was discovered where an attacker can execute arbitrary PHP code by changing the username, as it is surrounded by double quotes, allowing for code injection, for example,
${phpinfo()}.Recommendations
For Nibbleblog version 4.0.5, consider disabling the ability to change usernames or restrict access to this functionality until a patch is available to prevent arbitrary PHP code execution.
Exploit
Correção
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Nibbleblog