CVE-2018-16604
HIGHNibbleblog 4.0.5 - Authenticated PHP Code Injection via Username Parameter
Title source: llmDescription
An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpinfo()}").
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/dignajar/nibbleblog/issues/131
Scores
CVSS v3
7.2
EPSS
0.0153
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
nibbleblog/nibbleblog
4.0.5
Published
Sep 06, 2018
Tracked Since
Feb 18, 2026