OpenCVE

Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Myblog	Myblog

Configuration 1 [-]

cpe:2.3:a:myblog:myblog:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/35392
http://securityreason.com/securityalert/2581
http://www.securityfocus.com/archive/1/465873/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/33707

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-04-18T02:20:00

Updated: 2024-08-07T13:23:50.380Z

Reserved: 2007-04-17T00:00:00

Link: CVE-2007-2082

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-04-18T03:19:00.000

Modified: 2024-11-21T00:29:51.650

Link: CVE-2007-2082

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-04-15T00:00:00", "descriptions": [{"lang": "en", "value": "Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-16T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/465873/100/0/threaded"}, {"name": "35392", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/35392"}, {"name": "2581", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/2581"}, {"name": "myblog-settings-code-execution(33707)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33707"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-2082", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/465873/100/0/threaded"}, {"name": "35392", "refsource": "OSVDB", "url": "http://osvdb.org/35392"}, {"name": "2581", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/2581"}, {"name": "myblog-settings-code-execution(33707)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33707"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:23:50.380Z"}, "title": "CVE Program Container", "references": [{"name": "20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/465873/100/0/threaded"}, {"name": "35392", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/35392"}, {"name": "2581", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/2581"}, {"name": "myblog-settings-code-execution(33707)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33707"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-2082", "datePublished": "2007-04-18T02:20:00", "dateReserved": "2007-04-17T00:00:00", "dateUpdated": "2024-08-07T13:23:50.380Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:myblog:myblog:*:*:*:*:*:*:*:*", "matchCriteriaId": "D85F729F-EE5D-43D3-8894-E58C9ADE879F", "versionEndIncluding": "0.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n directa de c\u00f3digo est\u00e1tico en admin/settings.php de MyBlog 0.9.8 y anteriores permite a administradores remotos autenticados inyectar c\u00f3digo PHP mediante el par\u00e1metro content, el cual puede ser ejecutado accediendo al index.php. NOTA: una vulnerabilidad separada podr\u00eda hacer que este asunto fuese explotable por atacantes remotos no autenticados."}], "id": "CVE-2007-2082", "lastModified": "2024-11-21T00:29:51.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-04-18T03:19:00.000", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/35392"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/2581"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/465873/100/0/threaded"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33707"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/35392"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/2581"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/465873/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33707"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}