HIGH✓ PATCH🇬🇧 English

CVE-2018-17984

CVSS 7.8v3.0pub. 2018-10-04upd. 2024-11-21

An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.

oryginał EN
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Ispconfig

    APP
    Ispconfig
    < 3.1.13
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
RCE
CWE
Referencje

Powiązane podatności

CVE-2021-3021CRITICAL9.8ten sam produkt

ISPConfig before 3.2.2 allows SQL injection.

CVE-2020-9398CRITICAL9.8ten sam produkt

ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled,...

CVE-2012-2087CRITICAL9.8ten sam produkt

ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.

CVE-2023-46818HIGH7.2ten sam produkt

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file ...

CVE-2013-3629HIGH8.8ten sam produkt

ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution