CVE-2008-5071
published 2008-11-14CVE-2008-5071: Multiple eval injection vulnerabilities in itpm_estimate.php in Yoxel 1.23beta and earlier allow remote authenticated users to execute arbitrary PHP code via…
PriorityP351critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
6.28%
92.7th percentile
Multiple eval injection vulnerabilities in itpm_estimate.php in Yoxel 1.23beta and earlier allow remote authenticated users to execute arbitrary PHP code via the proj_id parameter.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yoxel | yoxel | <= 1.23beta | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
| yoxel | yoxel | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
mitre_cwe
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables.
Common Consequences:
Scope: Confidentiality. Impact: Read Files or Directories, Read Application Data. The injected code could access restricted data / files.
Scope: Access Control. Impact:
CWE
Improper Control of Generation of Code ('Code Injection')
mitre_cwe
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control. Impact: Gain Privileges or Assume Identity. Injected code can access resources that the attacker is directly prevented from ac
http://securityreason.com/securityalert/4591http://www.securityfocus.com/bid/31448https://exchange.xforce.ibmcloud.com/vulnerabilities/45488https://www.exploit-db.com/exploits/6606http://securityreason.com/securityalert/4591http://www.securityfocus.com/bid/31448https://exchange.xforce.ibmcloud.com/vulnerabilities/45488https://www.exploit-db.com/exploits/6606
2008-11-14
Published