CVE-2006-4548

{"id": "CVE-2006-4548", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2006-09-06T00:04:00.000", "references": [{"url": "http://retrogod.altervista.org/e107_075_xpl.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/1497", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/444644/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://retrogod.altervista.org/e107_075_xpl.html", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://securityreason.com/securityalert/1497", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/444644/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "e107 0.75 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code via the tinyMCE_imglib_include image/jpeg parameter in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php, as demonstrated by a multipart/form-data request. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in e107."}, {"lang": "es", "value": "e107 0.75 y anteriores no se asignan correctamente variables cuando los datos de entrada incluyen un par\u00e1metro num\u00e9rico con un valor que empareja el valor del hash de un par\u00e1metro alfanum\u00e9rico, lo que permite a un atacante remoto ejecutar c\u00f3digo PHP de su elecci\u00f3n a trav\u00e9s del par\u00e1metro tinyMCE_imglib_include image/jpeg en e107_handlers/tiny_mce/plugins/ibrowser/ibrowser como se demostr\u00f3 por una petici\u00f3n a multipart/form-data. NOTA: podr\u00eda ser discutido que esta vulnerabilidad se deba a un fallo en la desasignaci\u00f3n del comando de PHP (CVE-2006-3017) y el arreglo apropiado debe estar en PHP; si es as\u00ed entonces esto no se debe tratar como vulnerabilidad en e107."}], "lastModified": "2024-11-21T00:16:13.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:e107:e107:0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "70AB914E-D616-45D2-A451-1C247B8B6E4C"}, {"criteria": "cpe:2.3:a:e107:e107:0.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA03C1AC-97EA-47ED-9558-A7CA48420AB2"}, {"criteria": "cpe:2.3:a:e107:e107:0.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32695A82-B042-46B7-9CB4-20F3446E0C9E"}, {"criteria": "cpe:2.3:a:e107:e107:0.7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6716A040-0CBE-4402-AB2A-1621B1240B0F"}, {"criteria": "cpe:2.3:a:e107:e107:0.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81627355-AB45-4D47-8DD2-4087E6971EF2"}, {"criteria": "cpe:2.3:a:e107:e107:0.7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2DAAA4F-B893-4914-8538-E68DDA211225"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}