SB2014091104 - Code Injection in PhpWiki
Published: September 11, 2014 Updated: August 10, 2020
Security Bulletin ID
SB2014091104
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Code Injection (CVE-ID: CVE-2014-5519)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
Remediation
Install update from vendor's website.
References
- http://osvdb.org/show/osvdb/110576
- http://packetstormsecurity.com/files/128031/PhpWiki-Ploticus-Command-Injection.html
- http://seclists.org/fulldisclosure/2014/Aug/77
- http://seclists.org/oss-sec/2014/q3/456
- http://seclists.org/oss-sec/2014/q3/465
- http://secunia.com/advisories/60293
- http://www.exploit-db.com/exploits/34451