CVE-2013-3631
published 2013-11-02CVE-2013-3631: NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute…
PriorityP345medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
12.63%
95.8th percentile
NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nas4free | nas4free | <= 9.1.0.1.804 | — |
| nas4free | nas4free | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NAS4Free - Remote Code Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3631 NAS4Free - Remote Code Execution (Metasploit)
NAS4Free - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'rexml/document'
class Metasploit4 'NAS4Free Arbitrary Remote Code Execution',
'Description' => %q{
NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have
the code executed remotely. This module was successfully tested against NAS4Free version
9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
},
'Author' => [
'Brandon Perry ' # Discovery / msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3631'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
Metasploit
NAS4Free Arbitrary Remote Code Execution
metasploit
NAS4Free Arbitrary Remote Code Execution
NAS4Free Arbitrary Remote Code Execution
NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
No writeups or analysis indexed.
2013-11-02
Published