CVE-2006-3136

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Nucleus version 3.23

Description The issue allows remote attackers to execute arbitrary PHP code via a URL using the DIR LIBS parameter in various files, including path/action.php, media.php, /xmlrpc/server.php, and /xmlrpc/api metaweblog.inc.php.

Recommendations For Nucleus version 3.23, consider restricting access to the DIR LIBS parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the DIR LIBS parameter in the affected API endpoints until the issue is resolved.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2006-3136

Affected Products

Nucleus

CVE-2006-3136

Weakness Enumeration

Related Identifiers

Affected Products

References · 11