CVE-2015-3640

HIGH

phpMyBackupPro <2.5 - Command Injection

Title source: llm
STIX 2.1

Description

phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032250
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/05/04/4

Scores

CVSS v3 7.5
EPSS 0.0123
EPSS Percentile 65.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
phpmybackuppro/phpmybackuppro < 2.5
Published Jul 21, 2017
Tracked Since Feb 18, 2026