cbcvebase.
CVE-2007-2348
published 2007-04-27

CVE-2007-2348: mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands…

PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.17%
86.4th percentile
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.

Affected

6 ranges
VendorProductVersion rangeFixed in
alexander_v_lukyanovlftp<= 3.5.8
alexander_v_lukyanovlftp>= 0 < 3.5.9-13.5.9-1
alexander_v_lukyanovlftp>= 0 < 3.5.9-13.5.9-1
alexander_v_lukyanovlftp>= 0 < 3.5.9-13.5.9-1
alexander_v_lukyanovlftp>= 0 < 3.5.9-13.5.9-1
debianlftp< lftp 3.5.9-1 (bookworm)lftp 3.5.9-1 (bookworm)

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.