cbcvebase.
CVE-2014-4170
published 2020-02-13

CVE-2014-4170: A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.48%
96.2th percentile
A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient access restrictions in the data.php script, which could let a remote malicious user obtain access or modify or delete database information.

Affected

1 ranges
VendorProductVersion rangeFixed in
freereprintablesarticlefr<= 3.0.4

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[host]/data.php?pk=2&pkf=id&f=membership&value=admin&t=users
path/data.php
  • Alert on unauthenticated GET requests to /data.php containing query parameters targeting the 'users' table (t=users) with membership field manipulation (f=membership&value=admin).
  • ·The vulnerability was still present in versions 3.0.2 and 3.0.4 despite vendor claims of a fix; no official patch was confirmed available at time of disclosure.
  • ·An unofficial patch was developed by High-Tech Bridge and should be evaluated as a mitigation until an official fix is confirmed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.