CVE-2017-1000423

CRITICAL

b2evolution 6.6.0-6.8.10 - Unauthenticated Remote Code Execution via Input Validation Bypass

Title source: llm

Description

b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation (backslash and single quote escape) in basic install functionality resulting in unauthenticated attacker gaining PHP code execution on the victim's setup.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/b2evolution/b2evolution/commit/0096a3ebc85f6aadbda2c4427cd092a538b161d2

Patch, Third Party Advisory x_refsource_confirm

https://github.com/b2evolution/b2evolution/commit/b899d654d931f3bf3cfbbdd71e0d1a0f3a16d04c

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0239

EPSS Percentile 81.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (1)

b2evolution/b2evolution 6.6.0 - 6.8.10

Published Jan 02, 2018

Tracked Since Feb 18, 2026