#VU87815 PHP file inclusion in eMerge E3-Series - CVE-2019-7254
Published: March 26, 2024
Vulnerability identifier: #VU87815
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red
CVE-ID: CVE-2019-7254
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
eMerge E3-Series
eMerge E3-Series
Software vendor:
Nice North America
Nice North America
Description
The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.