Lucene search

[email protected]CVE-2014-1683

HistoryJan 29, 2014 - 6:55 p.m.

CVE-2014-1683

2014-01-2918:55:00

CWE-134

[email protected]

web.nvd.nist.gov

cve-2014-1683

skybluecanvas cms

arbitrary commands

remote attackers

shell metacharacters

nvd

7.8 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.958 High

EPSS

Percentile

99.4%

JSON

The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.

CPENameOperatorVersion
skybluecanvas:skybluecanvasskybluecanvasle1.1_r248-03

CPE	Name	Operator	Version
skybluecanvas:skybluecanvas	skybluecanvas	le	1.1_r248-03

References

packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html

seclists.org/fulldisclosure/2014/Jan/159

secunia.com/advisories/56646

www.exploit-db.com/exploits/31183

www.exploit-db.com/exploits/31432

www.securityfocus.com/bid/65129

exchange.xforce.ibmcloud.com/vulnerabilities/90670

7.8 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.958 High

EPSS

Percentile

99.4%

JSON

Related for CVE-2014-1683

packetstorm1 cvelist1 dsquare1 prion1 zdt1 checkpoint_advisories1 seebug1