CVE-2009-0673

Eval injection vulnerability in the Custom Fields feature in the Your Account module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary PHP code via the ID Field Name box in a yaCustomFields action to admin.php.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://ravenphpscripts.com/postt17156.html
http://www.securityfocus.com/archive/1/500988/100/0/threaded
http://www.securityfocus.com/bid/33787
http://www.waraxe.us/advisory-72.html	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/48790
https://www.exploit-db.com/exploits/8068

Configurations

Configuration 1 (hide)

cpe:2.3:a:ravenphpscripts:ravennuke:2.30:*:*:*:*:*:*:*

History

No history.

Information

Published : 2009-02-22 22:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-0673

Mitre link : CVE-2009-0673

CVE.ORG link : CVE-2009-0673

JSON object : View

Products Affected

ravenphpscripts

ravennuke

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2009-0673", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-02-22T22:30:00.907", "references": [{"url": "http://ravenphpscripts.com/postt17156.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/500988/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/33787", "source": "cve@mitre.org"}, {"url": "http://www.waraxe.us/advisory-72.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48790", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/8068", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Eval injection vulnerability in the Custom Fields feature in the Your Account module in Raven Web Services RavenNuke 2.30 allows remote authenticated administrators to execute arbitrary PHP code via the ID Field Name box in a yaCustomFields action to admin.php."}, {"lang": "es", "value": "Vulnerabilidad del inyecci\u00f3n \"Eval\" en la caracter\u00edstica Custom Fields en el modulo Your Account en Raven Web Services RavenNuke v2.30 lo que permite a administradores remotos autentificados ejecutar codigo PHP a su elecci\u00f3n a trav\u00e9s de la secci\u00f3n ID Field Name en la acci\u00f3n yaCustomFields a admin.php."}], "lastModified": "2018-10-10T19:30:01.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ravenphpscripts:ravennuke:2.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24561E2B-3481-4E0C-8115-14A7FBB2F176"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}