CVE-2014-7178

Tuleap < 7.5.99.6 - Remote Code Execution via User-Agent Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-7178. PoCs published by Portcullis.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in Tuleap <= 7.4.99.5 via the SVN handler. The User-Agent header is manipulated to inject commands executed by the passthru() function, leading to remote command execution.

Description

Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Portcullis · textwebappsphp

https://www.exploit-db.com/exploits/35100

View Code ZIP pw:eip

This exploit demonstrates a command injection vulnerability in Tuleap <= 7.4.99.5 via the SVN handler. The User-Agent header is manipulated to inject commands executed by the passthru() function, leading to remote command execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tuleap <= 7.4.99.5

Auth required

Prerequisites: Valid user account with access to SVN repository

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Oct/121

Exploit x_refsource_misc

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7178/

Vendor Advisory x_refsource_confirm

https://www.tuleap.org/recent-vulnerabilities

Scores

EPSS 0.0506

EPSS Percentile 91.2%

Details

CWE

CWE-20

Status published

Products (1)

enalean/tuleap < 7.5.99.5

Published Nov 28, 2014

Tracked Since Feb 18, 2026