Lucene search

[email protected]CVE-2007-2148

HistoryApr 19, 2007 - 10:19 a.m.

CVE-2007-2148

2007-04-1910:19:00

[email protected]

web.nvd.nist.gov

cve-2007-2148

direct static code injection

stephen craton

wiredphp

chatness 2.5.3

remote authenticated administrators

php code injection

html files

vulnerability

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.9 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.4%

JSON

Direct static code injection vulnerability in admin/save.php in Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier allows remote authenticated administrators to inject PHP code into .html files via the html parameter, as demonstrated by head.html and foot.html, which are included and executed upon a direct request for index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers.

Affected configurations

NVD

Node

stephen_cratonchatnessRange≤2.5.3

CPENameOperatorVersion
stephen_craton:chatnessstephen craton chatnessle2.5.3

CPE	Name	Operator	Version
stephen_craton:chatness	stephen craton chatness	le	2.5.3

References

secunia.com/advisories/24873

securityreason.com/securityalert/2595

www.securityfocus.com/archive/1/465547/100/0/threaded

www.vupen.com/english/advisories/2007/1386

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.9 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.4%

JSON

Related for CVE-2007-2148

prion1 cvelist1 nvd1