CVE-2008-5186

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2008-5186
The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://osvdb.org/49488
http://secunia.com/advisories/32559 Vendor Advisory
http://sourceforge.net/project/shownotes.php?release_id=637321 Patch
http://www.openwall.com/lists/oss-security/2008/11/10/8
http://www.securityfocus.com/bid/32070 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/46271
http://osvdb.org/49488
http://secunia.com/advisories/32559 Vendor Advisory
http://sourceforge.net/project/shownotes.php?release_id=637321 Patch
http://www.openwall.com/lists/oss-security/2008/11/10/8
http://www.securityfocus.com/bid/32070 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/46271
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:geshi:geshi:*:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.2_beta_1:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.2:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.3:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.4:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.5:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.6:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.7:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.8:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.9:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.10:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.11:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.12:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.13:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.14:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.15:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.16:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.17:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.18:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.19:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.20:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.21:*:*:*:*:*:*:*
cpe:2.3:a:geshi:geshi:1.0.7.22:*:*:*:*:*:*:*
History

21 Nov 2024, 00:53

Type Values Removed Values Added
References () http://osvdb.org/49488 - () http://osvdb.org/49488 -
References () http://secunia.com/advisories/32559 - Vendor Advisory () http://secunia.com/advisories/32559 - Vendor Advisory
References () http://sourceforge.net/project/shownotes.php?release_id=637321 - Patch () http://sourceforge.net/project/shownotes.php?release_id=637321 - Patch
References () http://www.openwall.com/lists/oss-security/2008/11/10/8 - () http://www.openwall.com/lists/oss-security/2008/11/10/8 -
References () http://www.securityfocus.com/bid/32070 - Patch () http://www.securityfocus.com/bid/32070 - Patch
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/46271 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/46271 -

07 Nov 2023, 02:03

Type Values Removed Values Added
Summary ** DISPUTED ** The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path. The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path
Information

Published : 2008-11-21 02:30

Updated : 2024-11-21 00:53

NVD link : CVE-2008-5186

Mitre link : CVE-2008-5186

CVE.ORG link : CVE-2008-5186

JSON object : View

Products Affected

geshi

  • geshi
CWE
CWE-20

Improper Input Validation


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024