CVE-2014-8684

CRITICAL

CodeIgniter <3.0 & Kohana 3.2.3-3.3.2 - Code Injection

Title source: llm

Description

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Exploits (2)

metasploit WORKING POC NORMAL

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb

View Code ZIP pw:eip

exploitdb WORKING POC

rubyremotephp

https://www.exploit-db.com/exploits/36264

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2014/May/54

[Third Party Advisory] https://github.com/kohana/core/pull/492

[Third Party Advisory] https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Scores

CVSS v3 9.8

EPSS 0.4485

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-310

Status published

Products (6)

codeigniter/codeigniter < 2.2.6

codeigniter/framework 0 - 3.0.0Packagist

kohana/core 0 - 3.3.3Packagist

kohanaframework/kohana 3.2.3

kohanaframework/kohana 3.3.0

kohanaframework/kohana 3.3.1

Published Sep 19, 2017

Tracked Since Feb 18, 2026