CVE-2008-5186

Generic Syntax Highlighter <1.0.8.1 - File Inclusion

Title source: llm
STIX 2.1

Description

The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46271
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32559
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32070
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/11/10/8
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/49488

Scores

EPSS 0.0197
EPSS Percentile 78.1%

Details

CWE
CWE-20
Status published
Products (32)
geshi/geshi 1.0.0
geshi/geshi 1.0.1
geshi/geshi 1.0.2
geshi/geshi 1.0.2_beta_1
geshi/geshi 1.0.3
geshi/geshi 1.0.4
geshi/geshi 1.0.5
geshi/geshi 1.0.6
geshi/geshi 1.0.7
geshi/geshi 1.0.7.1
... and 22 more
Published Nov 21, 2008
Tracked Since Feb 18, 2026