CVE-2013-1412

Dleviet Datalife Engine - Code Injection

Title source: rule

Description

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

Exploits (3)

metasploit WORKING POC EXCELLENT
by EgiX, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/datalife_preview_exec.rb
exploitdb WRITEUP VERIFIED
by EgiX · textwebappsphp
https://www.exploit-db.com/exploits/24438
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/24444

References (8)

Scores

EPSS 0.8510
EPSS Percentile 99.3%

Classification

CWE
CWE-94
Status draft

Affected Products (1)

dleviet/datalife_engine

Timeline

Published Jun 02, 2014
Tracked Since Feb 18, 2026