CVE-2010-4330
published 2010-12-07CVE-2010-4330: Directory traversal vulnerability in includes/controller.php in Pulse CMS Basic before 1.2.9 allows remote attackers to include and execute arbitrary local…
PriorityP338medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
2.63%
83.6th percentile
Directory traversal vulnerability in includes/controller.php in Pulse CMS Basic before 1.2.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p parameter to index.php.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pulsecms | pulse_cms | <= 1.2.8 | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
| pulsecms | pulse_cms | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Samsung D6000 TV - Multiple Vulnerabilities
exploitdb·2012-04-19
CVE-2012-4330 Samsung D6000 TV - Multiple Vulnerabilities
Samsung D6000 TV - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Samsung devices with support for remote controllers
http://www.samsung.com
Versions: current
Platforms: the vulnerable protocol is used on both TV and blue-ray
devices so both of them should be vulnerable (my tests
were performed only on a D6000 TV with the latest
firmware); the following are the products listed on the
iTunes section of the app but note that I have NOT
tested them:
- TV released in 2010 with Internet@TV feature
Models greater than or equal to LCD 650, LED 6500 and PDP 6500
- TV released in 2011 with AllShare feature
Models greater than or equal to LCD 550, LED 5500 and PDP 5500
- BD released in 2011 with Smart Hub feature
M
Exploit-DB
Pulse CMS Basic - Local File Inclusion
exploitdb·2010-12-05·CVSS 6.8
CVE-2010-4330 [MEDIUM] Pulse CMS Basic - Local File Inclusion
Pulse CMS Basic - Local File Inclusion
---
'Pulse CMS Basic' Local File Inclusion Vulnerability (CVE-2010-4330)
Mark Stanislav - [email protected]
I. DESCRIPTION
A vulnerability exists in the 'includes/controller.php' script that allows for arbitrary local file inclusion due to a null-byte attack.
II. TESTED VERSION
Version 1.2.8
III. AFFECTED VERSIONS
< 1.2.9
IV. PoC EXPLOIT
http://www.example.com/index.php?p=/../../../../../../../../../../../../../../etc/passwd%00
V. NOTES
* magic_quotes_gpc must be disabled for null-byte attacks to work
* This issue did not affect Pulse CMS Pro according to the vendor
VI. SOLUTION
Upgrade all previously installed versions to 1.2.9
VII. REFERENCES
http://pulsecms.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4330
http
No writeups or analysis indexed.
http://osvdb.org/69622http://pulsecms.com/release-notes.phphttp://secunia.com/advisories/42462http://www.exploit-db.com/exploits/15691http://www.securityfocus.com/archive/1/515029/100/0/threadedhttp://www.securityfocus.com/bid/45186http://www.uncompiled.com/2010/12/pulse-cms-basic-local-file-inclusion-vulnerability-cve-2010-4330/http://www.vupen.com/english/advisories/2010/3128http://osvdb.org/69622http://pulsecms.com/release-notes.phphttp://secunia.com/advisories/42462http://www.exploit-db.com/exploits/15691http://www.securityfocus.com/archive/1/515029/100/0/threadedhttp://www.securityfocus.com/bid/45186http://www.uncompiled.com/2010/12/pulse-cms-basic-local-file-inclusion-vulnerability-cve-2010-4330/http://www.vupen.com/english/advisories/2010/3128
2010-12-07
Published