#VU14193 PHP code injection in OCS inventory NG - CVE-2018-14857
Published: August 3, 2018 / Updated: August 6, 2018
Vulnerability identifier: #VU14193
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-14857
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OCS inventory NG
OCS inventory NG
Software vendor:
OCS inventory NG
OCS inventory NG
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary PHP code on the target system.
The weakness due to insufficient validation of user-supplied input. A remote attacker can upload a specially crafted template file containing PHP code and execute arbitrary PHP code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness due to insufficient validation of user-supplied input. A remote attacker can upload a specially crafted template file containing PHP code and execute arbitrary PHP code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.