CVE-2015-3638

HIGH

phpMyBackupPro < 2.5 - Authenticated PHP Code Injection via Scheduled Backup Parameters

Title source: llm
STIX 2.1

Description

phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032250
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2015/04/25/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/04/4

Scores

CVSS v3 8.8
EPSS 0.0213
EPSS Percentile 79.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
phpmybackuppro/phpmybackuppro < 2.5
Published Jul 21, 2017
Tracked Since Feb 18, 2026