PT-2019-19303 · Tiny+1 · Tiny Issue+1

Mrfko

Published

2019-02-22

Updated

2021-07-21

CVE-2019-9002

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tiny Issue versions 1.3.1 through 1.3.2c pixeline Bugs versions 1.3.1 through 1.3.2c

Description An issue allows remote attackers to execute arbitrary PHP code via the database host parameter in the install/config-setup.php file if the installer remains present in its original directory after installation is completed.

Recommendations For Tiny Issue versions 1.3.1 through 1.3.2c, remove the installer from its original directory after installation is completed to prevent exploitation. For pixeline Bugs versions 1.3.1 through 1.3.2c, remove the installer from its original directory after installation is completed to prevent exploitation.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2019-9002

Affected Products

Tiny Issue

Pixeline Bugs

PT-2019-19303 · Tiny+1 · Tiny Issue+1

CVE-2019-9002

Weakness Enumeration

Related Identifiers

Affected Products

References · 4