Description

install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix parameter, related to replacing TABLES_PREFIX in the configuration file.

Remediation

References

CVE-2017-9741

Related Vulnerabilities

WordPress Plugin Appointment Booking Calendar SQL Injection (1.1.23)

WordPress Plugin Campaign URL Builder Cross-Site Scripting (1.8.1)

WordPress Plugin Gallery by BestWebSoft Cross-Site Scripting (4.2.1)

WordPress Plugin AWSM Team-Team Showcase Local File Inclusion (1.3.1)

WordPress Plugin Chronoforms Cross-Site Request Forgery (7.0.9)

Severity

Critical

Classification

CVE-2017-9741 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities