CVE-2002-1484

CRITICAL

DB4Web - SSRF

Title source: llm

Description

DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefan Bagdohn · textremotemultiple

https://www.exploit-db.com/exploits/21801

View Code ZIP pw:eip

References (4)

[Broken Link, Vendor Advisory] http://archives.neohapsis.com/archives/bugtraq/2002-09/0201.html

[Broken Link, Vendor Advisory] http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0125.html

[Broken Link, Exploit, Vendor Advisory] http://www.iss.net/security_center/static/10136.php

[Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory] http://www.securityfocus.com/bid/5725

Scores

CVSS v3 9.8

EPSS 0.0741

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (2)

siemens/db4web 3.4

siemens/db4web 3.6

Published Apr 22, 2003

Tracked Since Feb 18, 2026