Описание
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
Ссылки
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
Уязвимые конфигурации
EPSS
7.5 High
CVSS3
6 Medium
CVSS2
Дефекты
Связанные уязвимости
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
EPSS
7.5 High
CVSS3
6 Medium
CVSS2