Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-5185 — Infinite Loop in Geshi

CWE-3995 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

5.0%

top 10.27%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Qbnz Geshi Debian Geshi Geshi

Timeline

PublishedNov 21

Latest updateMay 17

Description

The highlighting functionality in geshi.php in GeSHi before 1.0.8 allows remote attackers to cause a denial of service (infinite loop) via an XML sequence containing an opening delimiter without a closing delimiter, as demonstrated using "<".

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/geshi< geshi 1.0.8.1-1 (bookworm)

▶Debianqbnz/geshi< 1.0.8.1-1+3

▶NVDgeshi/geshi1.0.7.22+30

🔴Vulnerability Details

GHSA

GHSA-mc42-h89m-gwgp: The highlighting functionality in geshi↗2022-05-17

▶

OSV

CVE-2008-5185: The highlighting functionality in geshi↗2008-11-21

▶

💥Exploits & PoCs

Exploit-DB

GeSHi 1.0.x - XML Parsing Remote Denial of Service↗2008-11-20

▶

📋Vendor Advisories

Debian

CVE-2008-5185: geshi - The highlighting functionality in geshi.php in GeSHi before 1.0.8 allows remote ...↗2008

▶