Vulnerability Details : CVE-2009-0677
avatarlist.php in the Your Account module, reached through modules.php, in Raven Web Services RavenNuke 2.30 allows remote authenticated users to execute arbitrary code via PHP sequences in an element of the replacements array, which is processed by the preg_replace function with the eval switch, as specified in an element of the patterns array.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2009-0677
Probability of exploitation activity in the next 30 days: 1.84%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-0677
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2009-0677
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-0677
-
http://ravenphpscripts.com/postt17156.html&sid=12d1201371612260a42fa846ebce7bad
Vendor Advisory
- http://www.securityfocus.com/bid/33787
- https://www.exploit-db.com/exploits/8068
- http://www.securityfocus.com/archive/1/500988/100/0/threaded
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/48789
- http://www.waraxe.us/advisory-72.html
Products affected by CVE-2009-0677
- cpe:2.3:a:ravenphpscripts:ravennuke:2.30:*:*:*:*:*:*:*