1 results (0.001 seconds)

CVSS: 7.5EPSS: 91%CPEs: 35EXPL: 3

The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch. La función proc_deutf en includes/functions_vbseocp_abstract.php en vBSEO v3.5.0, v3.5.1, v3.5.2, v3.6.0, y anteriores permite a atacantes remotos insertar y ejecutar código PHP a través "complex curly syntax" en el parámetro char_repl, el cual es insertado en una expresión regular que es procesada por la función preg_replace con el modificador eval. • https://www.exploit-db.com/exploits/18424 http://osvdb.org/78508 http://secunia.com/advisories/47699 http://www.exploit-db.com/exploits/18424 http://www.securityfocus.com/bid/51647 http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783 https://exchange.xforce.ibmcloud.com/vulnerabilities/72689 - • CWE-94: Improper Control of Generation of Code ('Code Injection') •