CVE-2013-5123

MEDIUM

pip < 1.5 - Man-in-the-Middle Attack via Insecure Mirror DNS Querying

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5123. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an open redirect vulnerability in phlyMail Lite 4.03.04 via the 'go' parameter in 'derefer.php'. The input is not properly sanitized, allowing redirection to arbitrary URLs.

Description

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

Exploits (1)

exploitdb WORKING POC VERIFIED

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/24086

View Code ZIP pw:eip

This exploit demonstrates an open redirect vulnerability in phlyMail Lite 4.03.04 via the 'go' parameter in 'derefer.php'. The input is not properly sanitized, allowing redirection to arbitrary URLs.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: phlyMail Lite 4.03.04

No auth needed

Prerequisites: Access to the vulnerable endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory x_refsource_misc

https://security-tracker.debian.org/tracker/CVE-2013-5123

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123

Issue Tracking, Third Party Advisory x_refsource_misc

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123

Mailing List, Third Party Advisory x_refsource_misc

http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html

Mailing List, Third Party Advisory x_refsource_misc

http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html

Mailing List, Third Party Advisory x_refsource_misc

http://www.openwall.com/lists/oss-security/2013/08/21/17

Mailing List, Third Party Advisory x_refsource_misc

http://www.openwall.com/lists/oss-security/2013/08/21/18

Broken Link, Third Party Advisory, VDB Entry x_refsource_misc

http://www.securityfocus.com/bid/77520

Scores

CVSS v3 5.9

EPSS 0.1238

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-287

Status published

Products (11)

debian/debian_linux 8.0

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 20

fedoraproject/fedora 21

pypa/pip < 1.5

pypi/pip 0 - 1.5PyPI

redhat/openshift 1.0

redhat/openshift 2.0

redhat/software_collections

... and 1 more

Published Nov 05, 2019

Tracked Since Feb 18, 2026