CVE-2019-18873

FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.

CVSS v3 9.0 CRITICAL
CVSS v2.0 8.5 HIGH

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

8.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/fuzzlove/FUDforum-XSS-RCE	Exploit Third Party Advisory
https://sourceforge.net/p/fudforum/code/6321/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fudforum:fudforum:3.0.9:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-11-12 02:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-18873

Mitre link : CVE-2019-18873

CVE.ORG link : CVE-2019-18873

JSON object : View

Products Affected

fudforum

fudforum

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2019-18873", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2019-11-12T02:15:10.267", "references": [{"url": "https://github.com/fuzzlove/FUDforum-XSS-RCE", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://sourceforge.net/p/fudforum/code/6321/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under \"User Manager\" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php."}, {"lang": "es", "value": "FUDForum versi\u00f3n 3.0.9, es vulnerable a un problema de tipo XSS Almacenado por medio del encabezado HTTP User-Agent. Esto puede resultar en una ejecuci\u00f3n de c\u00f3digo remota. Un atacante puede usar una cuenta de usuario para comprometer completamente el sistema por medio de una petici\u00f3n GET. Cuando el administrador visita la informaci\u00f3n del usuario bajo \"User Manager\" en el panel de control, la carga \u00fatil se ejecutar\u00e1. Esto permitir\u00e1 que los archivos PHP sean escritos en la root web y que el c\u00f3digo se ejecute en el servidor remoto. El problema est\u00e1 en los archivos admsession.php y admuser.php."}], "lastModified": "2019-11-15T19:05:05.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fudforum:fudforum:3.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4C965BD-222A-44FF-872D-21F18C80CECC"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}