CVE-2013-3631

Nas4free < 9.1.0.1.804 - Code Injection

Title source: rule

Description

NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/29320

View Code ZIP pw:eip

metasploit WORKING POC GREAT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/nas4free_php_exec.rb

View Code ZIP pw:eip

References (2)

[US Government Resource] http://www.kb.cert.org/vuls/id/326830

[Exploit] https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats

Scores

EPSS 0.4936

EPSS Percentile 97.8%

Details

CWE

CWE-94

Status published

Products (2)

nas4free/nas4free 9.1.0.1.798

nas4free/nas4free < 9.1.0.1.804

Published Nov 02, 2013

Tracked Since Feb 18, 2026