CVE-2015-6497

Sažetak

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap.

Reference

http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html
http://karmainsecurity.com/KIS-2015-04
http://magento.com/security/patches/supee-6482
http://packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html
http://seclists.org/fulldisclosure/2015/Sep/48

CVSS

Base:	6.5
Impact:	6.4
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

22-01-2020 - 16:22

Objavljeno

15-01-2020 - 17:15