CVE-2014-8686

Опубликовано: 19 сент. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 5

EPSS Средний

Описание

CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.

Ссылки

http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
Third Party Advisory
VDB Entry
https://beyondbinary.io/articles/seagate-nas-rce/
Exploit
Third Party Advisory
https://codeigniter.com/userguide2/changelog.html
Vendor Advisory
https://www.dionach.com/blog/codeigniter-session-decoding-vulnerability
Third Party Advisory
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
Third Party Advisory
VDB Entry
https://beyondbinary.io/articles/seagate-nas-rce/
Exploit
Third Party Advisory
https://codeigniter.com/userguide2/changelog.html
Vendor Advisory
https://www.dionach.com/blog/codeigniter-session-decoding-vulnerability
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

Версия до 2.1.4 (включая)

EPSS

Процентиль: 97%

0.34041

Средний

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-310

Связанные уязвимости

CVE-2014-8686

CVSS3: 9.8

debian

больше 8 лет назад

CodeIgniter before 2.2.0 makes it easier for attackers to decode sessi ...

GHSA-xrhp-vgm2-2xvr

CVSS3: 9.8

github

больше 3 лет назад

CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.

EPSS

Процентиль: 97%

0.34041

Средний

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-310