CVE-2015-3638
HIGHphpMyBackupPro < 2.5 - Authenticated PHP Code Injection via Scheduled Backup Parameters
Title source: llmDescription
phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032250
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2015/04/25/1
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/04/4
Scores
CVSS v3
8.8
EPSS
0.0213
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
phpmybackuppro/phpmybackuppro
< 2.5
Published
Jul 21, 2017
Tracked Since
Feb 18, 2026