CVE-2008-5090

Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in bbcode in the email parameter, which is processed by the preg_replace function with the eval switch.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.gulftech.org/?node=research&article_id=00131-09202008
http://secunia.com/advisories/31978	Vendor Advisory
http://www.securityfocus.com/bid/31268	Exploit
http://www.anelectron.com/board/index.php?tid=3282	Vendor Advisory
http://securityreason.com/securityalert/4598
https://exchange.xforce.ibmcloud.com/vulnerabilities/45270
https://www.exploit-db.com/exploits/6499
http://www.securityfocus.com/archive/1/496552/100/0/threaded

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:anelectron:advanced_electron_forum:1.0.2:::::::*
	cpe:2.3:a:anelectron:advanced_electron_forum:1.0.1:::::::*
	cpe:2.3:a:anelectron:advanced_electron_forum:1.0.4:::::::*
	cpe:2.3:a:anelectron:advanced_electron_forum:1.0.3:::::::*
	cpe:2.3:a:anelectron:advanced_electron_forum::::::::
	cpe:2.3:a:anelectron:advanced_electron_forum:1.0.5:::::::*

Information

Published : 2008-11-14 11:20

Updated : 2018-10-11 13:54

NVD link : CVE-2008-5090

Mitre link : CVE-2008-5090

JSON object : View

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

Advertisement

Products Affected

anelectron

advanced_electron_forum

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.gulftech.org/?node=research&article_id=00131-09202008", "name": "http://www.gulftech.org/?node=research&article_id=00131-09202008", "tags": [], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/31978", "name": "31978", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.securityfocus.com/bid/31268", "name": "31268", "tags": ["Exploit"], "refsource": "BID"}, {"url": "http://www.anelectron.com/board/index.php?tid=3282", "name": "http://www.anelectron.com/board/index.php?tid=3282", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://securityreason.com/securityalert/4598", "name": "4598", "tags": [], "refsource": "SREASON"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45270", "name": "aef-pregreplace-code-execution(45270)", "tags": [], "refsource": "XF"}, {"url": "https://www.exploit-db.com/exploits/6499", "name": "6499", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/496552/100/0/threaded", "name": "20080920 Advanced Electron Forum <= 1.0.6 Remote Code Execution", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in bbcode in the email parameter, which is processed by the preg_replace function with the eval switch."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-94"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-5090", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2008-11-14T19:20Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.0.6"}, {"cpe23Uri": "cpe:2.3:a:anelectron:advanced_electron_forum:1.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-11T20:54Z"}