Lucene search

GitHub_MCVELIST:CVE-2020-11084

HistoryJul 14, 2020 - 9:15 p.m.

CVE-2020-11084 Command Injection in iPear

2020-07-1421:15:13

CWE-78

GitHub_M

www.cve.org

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.9%

JSON

In iPear, the manual execution of the eval() function can lead to command injection. Only PCs where commands are manually executed via “For Developers” are affected. This function allows executing any PHP code within iPear which may change, damage, or steal data (files) from the PC.

CNA Affected

[
  {
    "product": "iPear",
    "vendor": "yaBobJonez",
    "versions": [
      {
        "status": "affected",
        "version": ">= 0.6.14, <= 0.6.15"
      },
      {
        "status": "affected",
        "version": "= 0.7.0"
      }
    ]
  }
]

References

github.com/yaBobJonez/iPear/security/advisories/GHSA-4xvp-35fx-hjjj

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.9%

JSON

Related for CVELIST:CVE-2020-11084