Summary
Webuzo is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input.
Impact
Remote attackers can exploit this issue to execute arbitrary commands in the context of the affected application.
Solution
Updates are available
Insight
The value of a cookie used by the application is not appropriately validated or sanitised before processing and permits backtick characters. This allows additional OS commands to be injected and executed on the server system, and may result in server compromise.
Affected
Webuzo <= 2.1.3 is vulnerable
other versions may also be affected.
Detection
Check the installed version
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-6041, CVE-2013-6042, CVE-2013-6043 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ASUS RT56U Router Multiple Vulnerabilities
- Apple Safari PDF Javascript Security Bypass Bypass Vulnerability
- Apache Tomcat /servlet Cross Site Scripting
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities