CVE-2002-2045

x_stat_admin.php in x-stat 2.3 and earlier allows remote attackers to (1) execute PHP commands such as phpinfo or (2) obtain the full path of the web server via an invalid action parameter, which leaks the pathname in an error message.

CVSS v2.0 6.4 MEDIUM

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://seclists.org/lists/vuln-dev/2002/Mar/0156.html
http://www.ifrance.com/kitetoua/tuto/x_holes.txt	Vendor Advisory
http://www.securityfocus.com/bid/4279
http://www.securityfocus.com/bid/4280
http://securitytracker.com/id?1003827	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/8467
https://exchange.xforce.ibmcloud.com/vulnerabilities/8466

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xqus:x-stat:2.2:::::::*
	cpe:2.3:a:xqus:x-stat:2.3:::::::*

Information

Published : 2002-12-30 21:00

Updated : 2017-07-10 18:29

NVD link : CVE-2002-2045

Mitre link : CVE-2002-2045

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

xqus

x-stat

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://seclists.org/lists/vuln-dev/2002/Mar/0156.html", "name": "20020313 X_holes", "tags": [], "refsource": "VULN-DEV"}, {"url": "http://www.ifrance.com/kitetoua/tuto/x_holes.txt", "name": "http://www.ifrance.com/kitetoua/tuto/x_holes.txt", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/4279", "name": "4279", "tags": [], "refsource": "BID"}, {"url": "http://www.securityfocus.com/bid/4280", "name": "4280", "tags": [], "refsource": "BID"}, {"url": "http://securitytracker.com/id?1003827", "name": "1003827", "tags": ["Exploit"], "refsource": "SECTRACK"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8467", "name": "xstat-phpinfo-reveal-info(8467)", "tags": [], "refsource": "XF"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8466", "name": "xstat-action-reveal-path(8466)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "x_stat_admin.php in x-stat 2.3 and earlier allows remote attackers to (1) execute PHP commands such as phpinfo or (2) obtain the full path of the web server via an invalid action parameter, which leaks the pathname in an error message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2002-2045", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2002-12-31T05:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:xqus:x-stat:2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:xqus:x-stat:2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-07-11T01:29Z"}