cbcvebase.
CVE-2018-1000533
published 2018-06-26

CVE-2018-1000533: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.97%
99.4th percentile
klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user. This attack appear to be exploitable via Send POST request using search form. This vulnerability appears to have been fixed in 0.7 after commit 87b8c26b023c3fc37f0796b14bb13710f397b322.

Affected

1 ranges
VendorProductVersion rangeFixed in
gitlistgitlist<= 0.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlist_arg_injection.rb
hash87b8c26b023c3fc37f0796b14bb13710f397b322
  • Monitor for POST requests to GitList search form endpoints, as the exploit is delivered via a POST request to the search functionality targeting the `searchTree` function.
  • Detect GitList version 0.6.0 or earlier in HTTP responses using the regex pattern `GitList (.*?)'` in the response body, as used by nuclei/detection templates.
  • The vulnerability is rooted in improper use of `escapeshellarg` in PHP — alert on argument injection patterns (e.g., shell metacharacters or `--` flag injection) in search query parameters sent to GitList instances.
  • ·The vulnerability is only present in GitList <= 0.6; instances running 0.7+ (post-commit 87b8c26b) are patched. Scope detection rules accordingly to avoid false positives on patched deployments.
  • ·Code execution occurs in the context of the PHP user running the web server process — post-exploitation impact is bounded by that user's OS privileges.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.