CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.9%
Hans Ulrich Niedermann reports:
The TWiki search function uses a user supplied search
string to compose a command line executed by the Perl
backtick (``) operator.
The search string is not checked properly for shell
metacharacters and is thus vulnerable to search string
containing quotes and shell commands.
IMPACT: An attacker is able to execute arbitrary shell
commands with the privileges of the TWiki process.