cbcvebase.
CVE-2004-0490
published 2004-08-18

CVE-2004-0490: cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the…

PriorityP430high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
4.47%
90.3th percentile
cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529.

Affected

13 ranges
VendorProductVersion rangeFixed in
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
cpanelcpanel
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.