CVE-2007-0134

Current Description

Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4.

Basic Data

PublishedJanuary 09, 2007
Last ModifiedOctober 16, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-94
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegetrue

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationIgenericIg Shop1.0*******
    2.3ApplicationIgenericIg Shop1.4*******

Vulnerable Software List

VendorProductVersions
Igeneric Ig Shop 1.0, 1.4

References

NameSourceURLTags
33387http://osvdb.org/33387OSVDB
33388http://osvdb.org/33388OSVDB
http://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txthttp://packetstormsecurity.nl/0701-exploits/igshop10-multiple.txtMISCExploit
23604http://secunia.com/advisories/23604SECUNIAVendor Advisory
20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploithttp://www.attrition.org/pipermail/vim/2007-June/001664.htmlVIM
20070105 IG Shop remote code executionhttp://www.securityfocus.com/archive/1/456043/100/0/threadedBUGTRAQ
20070619 iG Shop 1.4 eval Inclusion Vulnerabilityhttp://www.securityfocus.com/archive/1/471722/100/0/threadedBUGTRAQ
21875http://www.securityfocus.com/bid/21875BID
ADV-2007-0056http://www.vupen.com/english/advisories/2007/0056VUPENVendor Advisory
igshop-cartpage-code-execution(31301)https://exchange.xforce.ibmcloud.com/vulnerabilities/31301XF
3083https://www.exploit-db.com/exploits/3083EXPLOIT-DB