CVE-2008-2638

Current Description

Static code injection vulnerability in guestbook.php in 1Book 1.0.1 and earlier allows remote attackers to upload arbitrary PHP code via the message parameter in an HTML webform, which is written to data.php.

Basic Data

PublishedJune 10, 2008
Last ModifiedSeptember 29, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-94
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3Application1-script1-book********1.0.1

Vulnerable Software List

VendorProductVersions
1-script 1-book *

References

NameSourceURLTags
http://1scripts.net/php-scripts/index.php?p=16http://1scripts.net/php-scripts/index.php?p=16CONFIRM
30146http://secunia.com/advisories/30146SECUNIAVendor Advisory
ADV-2008-1735http://www.vupen.com/english/advisories/2008/1735/referencesVUPEN
1book-guestbook-code-execution(42854)https://exchange.xforce.ibmcloud.com/vulnerabilities/42854XF
5736https://www.exploit-db.com/exploits/5736EXPLOIT-DB