plugins/maps/db_handler.php in LinPHA 1.3.3 and earlier does not require authentication for a settings action that modifies the configuration file, which allows remote attackers to conduct directory traversal attacks and execute arbitrary local files by placing directory traversal sequences into the maps_type configuration setting, and then sending a request to maps_view.php, which causes plugins/maps/map.main.class.php to use the modified configuration.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linpha
  • Linpha

Configuration 1 [-]

OR cpe:2.3:a:linpha:linpha:*:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.0:beta2:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.0:beta3:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:linpha:linpha:1.3.2:*:*:*:*:*:*:*

No data.

References
Link Providers
http://secunia.com/advisories/29724 cve-icon cve-icon
http://sourceforge.net/project/shownotes.php?release_id=595725 cve-icon cve-icon
http://www.osvdb.org/50229 cve-icon cve-icon
http://www.securityfocus.com/bid/28654 cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/1136 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/41676 cve-icon cve-icon
https://www.exploit-db.com/exploits/5392 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-07T08:40:59.408Z

Reserved: 2008-04-16T00:00:00

Link: CVE-2008-1856

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2008-04-16T19:05:00.000

Modified: 2024-11-21T00:45:30.860

Link: CVE-2008-1856

cve-icon Redhat

No data.