Vulnerability CVE-2014-1683
Published: 2014-01-29

Description:
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.

See advisories in our WLB2 database:
Topic
Author
Date
High
SkyBlueCanvas CMS 1.1 r248-03 Command Injection
Scott Parish
28.01.2014

Type:

CWE-78

 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Skybluecanvas -> Skybluecanvas 

 References:
http://xforce.iss.net/xforce/xfdb/90670
http://www.securityfocus.com/bid/65129
http://www.exploit-db.com/exploits/31432
http://www.exploit-db.com/exploits/31183
http://seclists.org/fulldisclosure/2014/Jan/159
http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html
Copyright 2024, cxsecurity.com

 

Back to Top