An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.
oryginał ENCVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HIspconfig
APPIspconfig< 3.1.13
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCE
CWE
Referencje
Powiązane podatności
CVE-2021-3021CRITICAL9.8ten sam produkt
ISPConfig before 3.2.2 allows SQL injection.
CVE-2020-9398CRITICAL9.8ten sam produkt
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled,...
CVE-2012-2087CRITICAL9.8ten sam produkt
ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.
CVE-2023-46818HIGH7.2ten sam produkt
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file ...
CVE-2013-3629HIGH8.8ten sam produkt
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution