Vulnerability CVE-2006-1371
Published: 2006-03-23   Modified: 2012-02-12

Description:
Laurentiu Matei eXpandable Home Page (XHP) CMS 0.5 and earlier allows remote authenticated users to use the HTMLArea FileManager plugin to upload and execute arbitrary PHP files using (1) manager.php, (2) standalonemanager.php, and (3) images.php.

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
XHP -> CMS 

 References:
http://secunia.com/advisories/19353
http://xhp.targetit.ro/index.php?page=3&box_id=34&action=show_single_entry&post_id=10
http://xforce.iss.net/xforce/xfdb/25399
http://xforce.iss.net/xforce/xfdb/25399
http://www.vupen.com/english/advisories/2006/1052
http://www.securityfocus.com/bid/17209
http://www.osvdb.org/24059
http://www.osvdb.org/24058
http://www.milw0rm.com/exploits/1605
http://www.attrition.org/pipermail/vim/2006-March/000649.html
Copyright 2024, cxsecurity.com

 

Back to Top