cbcvebase.
CVE-2014-1683
published 2014-01-29

CVE-2014-1683: The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4…

PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
31.41%
98.1th percentile
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
skybluecanvasskybluecanvas<= 1.1_r248-03

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?pid=4
commandA";
pathcms/data/skins/techjunkie/fragments/contacts/functions.php
command";";#{payload.encoded};"
  • Detect POST requests to index.php with query parameter pid=4 containing shell metacharacters (e.g., semicolons, quotes) in the name, email, subject, or message fields.
  • The vulnerability is a blind command injection — no output is returned in the HTTP response. Monitor for anomalous outbound network activity (e.g., ICMP ping, netcat connections) originating from the web server process following POST requests to index.php?pid=4.
  • Flag HTTP responses whose body matches the pattern '[1.1 r248]' as potentially vulnerable SkyBlueCanvas instances, consistent with the Metasploit check method.
  • The exploit sends a POST to index.php with vars_get pid=4 and vars_post including cid=3 and action=Send alongside the injected name field. Alert on this specific parameter combination.
  • ·The injection is only reachable when the pid parameter equals 4 (the Contact page). Other pid values do not trigger the vulnerable bashMail code path.
  • ·The vulnerability is exploitable by unauthenticated remote users; no credentials are required to reach the contact form.
  • ·Commands execute in the context of the web server process (not necessarily root), limiting but not eliminating impact.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.