#VU35876 Improper Neutralization of Special Elements in Output Used by a Downstream Component in b2evolution


Published: 2019-05-23 | Updated: 2020-08-08

Vulnerability identifier: #VU35876

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8901

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
b2evolution
Web applications / CMS

Vendor: b2evolution.net

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php.

Mitigation
Install update from vendor's website.

Vulnerable software versions

b2evolution: 6.7.6

External links
http://www.openwall.com/lists/oss-security/2016/09/30/3
http://github.com/b2evolution/b2evolution/commit/25c21cf9cc4261324001f9039509710b37ee2c4d
http://github.com/b2evolution/b2evolution/commit/999b5ad1d59760d7e450ceb541f55432fc74cd27

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper Neutralization of Special Elements in Output Used by a Downstream Component in b2evolution.net b2evolution