CVE-2018-1999022 — Code Injection in Quickform Project Html Quickform

CWE-94 — Code Injection6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

1.3%

top 20.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Civicrm Debian Civicrm Html Quickform Project Html Quickform

Timeline

PublishedJul 23

Latest updateMay 14

Description

PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/civicrm< civicrm 5.3.1+dfsg-1 (bullseye)

▶Debiancivicrm/civicrm< 5.3.1+dfsg-1

▶NVDcivicrm/civicrm4.6.37+1

▶NVDhtml_quickform_project/html_quickform3.2.14

🔴Vulnerability Details

GHSA

GHSA-ppg7-5cr7-7v24: PEAR HTML_QuickForm version 3↗2022-05-14

▶

OSV

CVE-2018-1999022: PEAR HTML_QuickForm version 3↗2018-07-23

▶

📋Vendor Advisories

Debian

CVE-2018-1999022: civicrm - PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerabi...↗2018

▶

💬Community

Bugzilla

CVE-2018-1999022 php-pear-HTML-QuickForm: remote code execution in several HTML_QuickForm and HTML_QuickForm_hierselect methods [epel-all]↗2019-01-21

▶

Bugzilla

CVE-2018-1999022 php-pear-HTML-QuickForm: remote code execution in several HTML_QuickForm and HTML_QuickForm_hierselect methods↗2019-01-21

▶