CVE-2014-1683

Sažetak

The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.

Reference

http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html
http://seclists.org/fulldisclosure/2014/Jan/159
http://secunia.com/advisories/56646
http://www.exploit-db.com/exploits/31183
http://www.exploit-db.com/exploits/31432
http://www.securityfocus.com/bid/65129
https://exchange.xforce.ibmcloud.com/vulnerabilities/90670

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

29-08-2017 - 01:34

Objavljeno

29-01-2014 - 18:55