CVE-2016-4010

Опубликовано: 23 янв. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Высокий

Описание

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

Ссылки

http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/
Technical Description
Third Party Advisory
https://magento.com/security/patches/magento-206-security-update
Patch
Vendor Advisory
https://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-File-Write.html
Exploit
Third Party Advisory
VDB Entry
https://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/39838/
http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/
Technical Description
Third Party Advisory
https://magento.com/security/patches/magento-206-security-update
Patch
Vendor Advisory
https://packetstormsecurity.com/files/137121/Magento-Unauthenticated-Arbitrary-File-Write.html
Exploit
Third Party Advisory
VDB Entry
https://packetstormsecurity.com/files/137312/Magento-2.0.6-Unserialize-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/39838/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:magento:magento:*:*:*:*:community:*:*:*

Версия до 2.0.5 (включая)

cpe:2.3:a:magento:magento:*:*:*:*:enterprise:*:*:*

Версия до 2.0.5 (включая)

EPSS

Процентиль: 99%

0.87063

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-74

Связанные уязвимости

GHSA-2xwv-qj35-wxv7