CVE-2018-5749

Опубликовано: 23 янв. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Низкий

Описание

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter.

Ссылки

https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/
Exploit
Mitigation
Patch
Third Party Advisory
https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/
Exploit
Mitigation
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:premium_minecraft_servers_list_project:premium_minecraft_servers_list:*:*:*:*:*:*:*:*

Версия до 2.0.4 (исключая)

Конфигурация 2

cpe:2.3:a:minecraft_servers_list_lite_project:minecraft_servers_list_lite:*:*:*:*:*:*:*:*

Версия до 1.1 (исключая)

EPSS

Процентиль: 85%

0.02343

Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-m75p-rvff-x8gj