CVE-2017-7981

Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, and an authenticated Tuleap user can control this value, even with shell metacharacters, as demonstrated by a '<?plugin SyntaxHighlighter syntax="c;id"' line to execute the id command.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:enalean:tuleap:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:phpwiki_project:phpwiki:1.3.10:*:*:*:*:*:*:*

Information

Published : 2017-04-29 09:59

Updated : 2019-10-02 17:03


NVD link : CVE-2017-7981

Mitre link : CVE-2017-7981


JSON object : View

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Advertisement

dedicated server usa

Products Affected

phpwiki_project

  • phpwiki

enalean

  • tuleap