CVE-2009-1677

Bitweaver < 2.6 - Code Injection

Title source: rule

Description

Multiple static code injection vulnerabilities in the saveFeed function in rss/feedcreator.class.php in Bitweaver 2.6 and earlier allow (1) remote authenticated users to inject arbitrary PHP code into files by placing PHP sequences into the account's "display name" setting and then invoking boards/boards_rss.php, and might allow (2) remote attackers to inject arbitrary PHP code into files via the HTTP Host header in a request to boards/boards_rss.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Nine:Situations:Group · phpwebappsphp

https://www.exploit-db.com/exploits/8659

View Code ZIP pw:eip

References (5)

[Vendor Advisory] http://secunia.com/advisories/35057

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/50631

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/503435

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/34910

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/8659

Scores

EPSS 0.0161

EPSS Percentile 81.8%

Details

CWE

CWE-94

Status published

Products (9)

bitweaver/bitweaver 1.1

bitweaver/bitweaver 1.1.1_beta

bitweaver/bitweaver 1.2.1

bitweaver/bitweaver 1.3

bitweaver/bitweaver 1.3.1

bitweaver/bitweaver 2.0.0

bitweaver/bitweaver 2.0.2

bitweaver/bitweaver 2.5

bitweaver/bitweaver < 2.6

Published May 18, 2009

Tracked Since Feb 18, 2026