cbcvebase.
CVE-2019-19208
published 2020-03-16

CVE-2019-19208: Codiad Web IDE through 2.8.4 allows PHP Code injection.

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.24%
97.0th percentile
Codiad Web IDE through 2.8.4 allows PHP Code injection.

Affected

2 ranges
VendorProductVersion rangeFixed in
codiadcodiad<= 2.8.4
codiadcodiad0 – 2.8.4

Detection & IOCsextracted from sources · hover to see the quote

path/components/install/process.php
path/config.php
command'")); system($_GET["cmd"]); print("'
  • Monitor POST requests to /components/install/process.php — the exploit posts a malicious PHP payload via the 'timezone' parameter to inject code into config.php.
  • Detect GET requests to /config.php containing a 'cmd' query parameter, which indicates the injected webshell backdoor is being used for remote command execution.
  • Look for the PHP payload pattern system($_GET["cmd"]) injected into the 'timezone' POST body field during installation requests.
  • The exploit uses X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded headers when posting the malicious payload — correlate these with requests to the install endpoint.
  • The exploit targets unauthenticated access to the install component; alert on any POST to the install process endpoint from external/untrusted sources on a production Codiad instance.
  • ·The exploit targets installation paths that vary by OS; defenders should check both /var/www/html/ and /var/www/ for a tampered config.php.
  • ·The exploit inserts a 10-second sleep between the injection POST and subsequent command execution, which may affect time-based correlation in SIEM rules.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.