Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

phpThumb() fltr[] parameter command injection vulnerability

Description

Multiple vendor applications utilize phpThumb(). phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. phpThumb() versions 1.7.9 and below are vulnerable to a command injection vulnerability that allows an attacker to execute arbitrary shell commands. To test this vulnerability, Acunetix created a file named cache/acunetix.

Remediation

Upgrade to the latest version of phpThumb.

References

phpThumb() Homepage

phpThumb() 'fltr[]' Parameter Command Injection Vulnerability

Related Vulnerabilities

Liferay DXP URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-28977)

Elgg Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3733)

SharePoint Download of Code Without Integrity Check Vulnerability (CVE-2020-1576)

MySQL CVE-2019-2627 Vulnerability (CVE-2019-2627)

Oracle HTTP Server CVE-2023-22019 Vulnerability (CVE-2023-22019)

Severity

High

Classification

CVE-2010-1598 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities