CVE-2014-4663

EXPLOITED

TimThumb 2.8.13-WordThumb 1.07 - RCE

Title source: llm

Description

TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by @u0x · textwebappsphp

https://www.exploit-db.com/exploits/33851

View Code ZIP pw:eip

References (8)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/127192/TimThumb-2.8.13-Remote-Code-Execution.html

[Mailing List] http://seclists.org/fulldisclosure/2014/Jul/4

[Mailing List] http://seclists.org/fulldisclosure/2014/Jun/117

[Mailing List] http://seclists.org/oss-sec/2014/q2/689

[Third Party Advisory] http://secunia.com/advisories/59558

[Exploit] http://www.exploit-db.com/exploits/33851

[Issue Tracking] https://code.google.com/p/timthumb/source/detail?r=219

[Issue Tracking] https://code.google.com/p/timthumb/issues/detail?id=485

Scores

EPSS 0.1685

EPSS Percentile 95.0%

Details

VulnCheck KEV 2024-10-15

CWE

CWE-94

Status published

Products (2)

binarymoon/timthumb 2.8.13

binarymoon/wordthumb 1.07

Published Jul 15, 2014

Tracked Since Feb 18, 2026