Main Vulnerability Database Vulnerabilities #VU41664

Code Injection in Dotclear - CVE-2014-1613

Published: May 16, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41664

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-1613

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Dotclear

Affected software:
Dotclear

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.

How to mitigate CVE-2014-1613

Install update from vendor's website.

Sources

http://dotclear.org/blog/post/2014/01/20/Dotclear-2.6.2
https://labs.mwrinfosecurity.com/advisories/2014/05/14/dotclear-php-object-injection/

Code Injection in Dotclear - CVE-2014-1613

Detailed vulnerability description

How to mitigate CVE-2014-1613

Sources

Please verify you're human