CVE-2008-5663

Kusaba <1.0.4 - RCE

Title source: llm

Description

Multiple unrestricted file upload vulnerabilities in Kusaba 1.0.4 and earlier allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension using (1) load_receiver.php or (2) a shipainter action to paint_save.php, then accessing the uploaded file via a direct request to this file in their user directory.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Sausage · htmlwebappsphp

https://www.exploit-db.com/exploits/6711

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Sausage · phpwebappsphp

https://www.exploit-db.com/exploits/6706

View Code ZIP pw:eip

References (7)

[Vendor Advisory] http://www.securityfocus.com/bid/31685

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/45793

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/45794

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/31668

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/6706

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/6711

[Third Party Advisory] http://securityreason.com/securityalert/4782

Scores

EPSS 0.1139

EPSS Percentile 93.6%

Details

CWE

CWE-20

Status published

Products (1)

kusaba/kusaba < 1.0.4

Published Dec 19, 2008

Tracked Since Feb 18, 2026