CVE-2010-2099

EXPLOITED

E107 < 0.7.20 - Access Control

Title source: rule

Description

bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of the toHTML method.

Exploits (1)

exploitdb WORKING POC VERIFIED

by McFly · perlwebappsmultiple

https://www.exploit-db.com/exploits/12715

View Code ZIP pw:eip

References (2)

[Exploit] http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html

[Exploit] http://www.securityfocus.com/bid/40252

Scores

EPSS 0.0084

EPSS Percentile 74.7%

Details

VulnCheck KEV 2010-08-19

CWE

CWE-264

Status published

Products (49)

e107/e107 0.6_10

e107/e107 0.6_11

e107/e107 0.6_12

e107/e107 0.6_13

e107/e107 0.6_14

e107/e107 0.6_15

e107/e107 0.6_15a

e107/e107 0.7

e107/e107 0.7.0

e107/e107 0.7.1

... and 39 more

Published May 27, 2010

Tracked Since Feb 18, 2026