PT-2018-13643 · Nibbleblog · Nibbleblog
Published
2018-09-06
·
Updated
2018-11-14
·
CVE-2018-16604
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nibbleblog version 4.0.5
Description
An issue was discovered where an attacker can execute arbitrary PHP code by changing the username, as it is surrounded by double quotes, allowing for code injection, for example,
${phpinfo()}.Recommendations
For Nibbleblog version 4.0.5, consider disabling the ability to change usernames or restrict access to this functionality until a patch is available to prevent arbitrary PHP code execution.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nibbleblog