CVE-2017-11366

CRITICAL

Codiad < 2.8.3 - OS Command Injection

Title source: rule

Description

components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.

Exploits (1)

nomisec WORKING POC

by hidog123 · poc

https://github.com/hidog123/Codiad-CVE-2018-14009

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] http://www.jianshu.com/p/41ac7ac2a7af

[Third Party Advisory] https://github.com/Codiad/Codiad/issues/1011

[Third Party Advisory] https://github.com/Codiad/Codiad/pull/1013

[Patch, Third Party Advisory] https://github.com/Codiad/Codiad/pull/1013/commits/b3645b4c6718cef6de7003f41aafe7bfcc0395d1

Scores

CVSS v3 9.8

EPSS 0.3435

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

codiad/codiad < 2.8.3

codiad/codiad 0 - 2.8.3Packagist

Published Aug 21, 2017

Tracked Since Feb 18, 2026