CVE-2007-5117
published 2007-09-27CVE-2007-5117: Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary…
PriorityP345critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
3.55%
87.9th percentile
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frontaccounting | frontaccounting | — | — |
| frontaccounting | frontaccounting | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xrf-9rc2-jr45: Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-5117 [HIGH] CWE-94 GHSA-5xrf-9rc2-jr45: Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
GHSA
GHSA-rvpr-2mjf-wch6: ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-5148 [HIGH] CWE-94 GHSA-rvpr-2mjf-wch6: ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1
** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure.
No detection rules found.
No writeups or analysis indexed.
http://arfis.wordpress.com/2007/09/14/rfi-02-frontaccounting/http://secunia.com/advisories/26962http://www.securityfocus.com/bid/25812https://exchange.xforce.ibmcloud.com/vulnerabilities/36796https://www.exploit-db.com/exploits/4456http://arfis.wordpress.com/2007/09/14/rfi-02-frontaccounting/http://secunia.com/advisories/26962http://www.securityfocus.com/bid/25812https://exchange.xforce.ibmcloud.com/vulnerabilities/36796https://www.exploit-db.com/exploits/4456
2007-09-27
Published