cbcvebase.
CVE-2008-5090
published 2008-11-14

CVE-2008-5090: Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in bbcode in the email…

PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
4.63%
90.6th percentile
Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in bbcode in the email parameter, which is processed by the preg_replace function with the eval switch.

Affected

6 ranges
VendorProductVersion rangeFixed in
anelectronadvanced_electron_forum<= 1.0.6
anelectronadvanced_electron_forum
anelectronadvanced_electron_forum
anelectronadvanced_electron_forum
anelectronadvanced_electron_forum
anelectronadvanced_electron_forum

Detection & IOCsextracted from sources · hover to see the quote

command[email]{${phpinfo()}}[/email]
  • Detect preg_replace with /e (eval) modifier processing user-supplied bbcode input in the email parameter — attacker injects complex PHP variable syntax (e.g., {${...}}) inside [email] tags to achieve arbitrary code execution.
  • Monitor HTTP requests containing bbcode [email] tags (or other bbcode tags) with embedded PHP complex variable syntax such as ${...} or {$...} in POST body parameters targeting AEF Forum endpoints.
  • The vulnerable code pattern is a preg_replace call using the /ies flag on bbcode input — look for this pattern in AEF source files as a static indicator of a vulnerable installation.
  • ·Multiple bbcode tags beyond [email] are also vulnerable to the same preg_replace /e eval injection — detection rules should not be scoped solely to the email parameter.
  • ·The vulnerability requires the bbcode email option to be enabled in the forum configuration (controlled by $globals['bbc_email']); exploitation is only possible when this setting is active.
  • ·Exploitation requires the attacker to be a forum user able to post content — anonymous/unauthenticated exploitation depends on whether guest posting is permitted.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.