CVE-2014-1999

The auto-format feature in the RequestCurl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response...

CVE-2014-1999

The auto-format feature in the RequestCurl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response...

CVE-2014-1999

CVE-2014-1999 affects FuelPHP’s Request_Curl class (versions 1.1–1.7.1) where an auto-format feature can process crafted responses and lead to arbitrary code execution on the application server. The root cause is unsafe auto-formatting of curl responses, enabling remote code execution when untrus...

JVN#94791545: FuelPHP vulnerable to remote code execution

FuelPHP is a PHP web framework for creating web applications. FuelPHP applications contain an issue in the RequestCurl class, which may result in arbitrary code execution. Impact When specially crafted input is processed, arbitrary files may be deleted or arbitrary code may be executed on the...

auto-format of Curl responses may lead to code execution

When executing a cURL request using the RequestCurl class with an unvalidated URL provided by user input, or a request to a malicious or a legitimate but hacked website, a specially crafted response can lead to auto-execution of malicious code, due to the way the auto formatting mechanism works...