CVE-2009-1912
published 2009-06-04CVE-2009-1912: Directory traversal vulnerability in src/func/language.php in webSPELL 4.2.0e and earlier allows remote attackers to include and execute arbitrary local .php…
PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
3.18%
86.5th percentile
Directory traversal vulnerability in src/func/language.php in webSPELL 4.2.0e and earlier allows remote attackers to include and execute arbitrary local .php files via a .. (dot dot) in a language cookie. NOTE: this can be leveraged for SQL injection by including awards.php.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webspell | webspell | <= 4.2.0e | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
| webspell | webspell | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4hxx-7755-cw67: Directory traversal vulnerability in src/func/language
ghsa_unreviewed·2022-05-02
CVE-2009-1912 [MEDIUM] CWE-22 GHSA-4hxx-7755-cw67: Directory traversal vulnerability in src/func/language
Directory traversal vulnerability in src/func/language.php in webSPELL 4.2.0e and earlier allows remote attackers to include and execute arbitrary local .php files via a .. (dot dot) in a language cookie. NOTE: this can be leveraged for SQL injection by including awards.php.
Citrix
CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
vendor_citrix·2020-12-14·CVSS 8.8
CVE-2020-8283 [HIGH] CWE-269 CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2
CVE-2020-8283: An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/54295http://secunia.com/advisories/35016http://www.osvdb.org/54296http://www.securityfocus.com/bid/34862http://www.webspell.org/http://www.webspell.org/index.php?site=files&file=30http://www.webspell.org/index.php?site=news_comments&newsID=130https://exchange.xforce.ibmcloud.com/vulnerabilities/50395https://www.exploit-db.com/exploits/8622http://osvdb.org/54295http://secunia.com/advisories/35016http://www.osvdb.org/54296http://www.securityfocus.com/bid/34862http://www.webspell.org/http://www.webspell.org/index.php?site=files&file=30http://www.webspell.org/index.php?site=news_comments&newsID=130https://exchange.xforce.ibmcloud.com/vulnerabilities/50395https://www.exploit-db.com/exploits/8622
2009-06-04
Published