CVE-2008-5186Improper Input Validation in Geshi

CWE-20Improper Input Validation4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 23.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
DokuwikiQbnz GeshiDebian Dokuwiki+2 more
Timeline
PublishedNov 21
Latest updateMay 17

Description

The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default lan

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

debiandebian/geshi< dokuwiki 0.0.20080505-3.1 (bookworm)
Debianqbnz/geshi< 1.0.8.1-1+3
NVDgeshi/geshi1.0.8+31
debiandebian/dokuwiki< dokuwiki 0.0.20080505-3.1 (bookworm)
Debiandokuwiki/dokuwiki< 0.0.20080505-3.1+3

Patches

Patch: sourceforge.netPatch: www.securityfocus.comPatch: sourceforge.net

🔴Vulnerability Details

2
GHSA
GHSA-rhpx-cf93-fp5q: ** DISPUTED ** The set_language_path function in geshi2022-05-17
OSV
CVE-2008-5186: The set_language_path function in geshi2008-11-21

📋Vendor Advisories

1
Debian
CVE-2008-5186: dokuwiki - The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi...2008