CVE-2015-3640

Name of the Vulnerable Software and Affected Versions phpMyBackupPro versions 2.5 and earlier

Description The issue allows remote authenticated users to inject and execute arbitrary PHP scripts by exploiting the lack of proper escaping of the "." character in request parameters. This can be achieved by injecting scripts via the path, filename, and dirs parameters to the "scheduled.php" endpoint, and then making requests to the injected scripts.

Recommendations For phpMyBackupPro versions 2.5 and earlier, consider restricting access to the "scheduled.php" endpoint and the path, filename, and dirs parameters until a proper fix is applied. As a temporary workaround, avoid using the vulnerable parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.