Описание
Pheap 2.0 allows remote attackers to bypass authentication by setting a pheap_login cookie value to the administrator's username, which can be used to (1) obtain sensitive information, including the administrator password, via settings.php or (2) upload and execute arbitrary PHP code via an update_doc action in edit.php.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:pheap:pheap:2.0:*:*:*:*:*:*:*
EPSS
Процентиль: 95%
0.16236
Средний
10 Critical
CVSS2
Дефекты
CWE-264
Связанные уязвимости
github
почти 4 года назад
Pheap 2.0 allows remote attackers to bypass authentication by setting a pheap_login cookie value to the administrator's username, which can be used to (1) obtain sensitive information, including the administrator password, via settings.php or (2) upload and execute arbitrary PHP code via an update_doc action in edit.php.
EPSS
Процентиль: 95%
0.16236
Средний
10 Critical
CVSS2
Дефекты
CWE-264