Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-3009 — Use of Externally-Controlled Format String in Software Mbedthis Appweb Http Server

4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
5.2%
top 10.01%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Mbedthis Software Mbedthis Appweb Http Server
Timeline
PublishedJun 4
Latest updateMay 1

Description

Format string vulnerability in the MprLogToFile::logEvent function in Mbedthis AppWeb 2.0.5-4, when the build supports logging but the configuration disables logging, allows remote attackers to cause a denial of service (daemon crash) via format string specifiers in the HTTP scheme, as demonstrated by a "GET %n://localhost:80/" request.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-g58w-3x65-p39p: Format string vulnerability in the MprLogToFile::logEvent function in Mbedthis AppWeb 2↗2022-05-01
â–¶
CVEList
CVE-2007-3009: Format string vulnerability in the MprLogToFile::logEvent function in Mbedthis AppWeb 2↗2007-06-04
â–¶

💥Exploits & PoCs

1
Exploit-DB
Mbedthis AppWeb 2.2.2 - URL Protocol Format String↗2007-06-12
â–¶
CVE-2007-3009 — MEDIUM severity | cvebase