5 results (0.011 seconds)

CVSS: 3.3EPSS: 0%CPEs: 27EXPL: 0

CVE-2011-1144

https://notcve.org/view.php?id=CVE-2011-1144

The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072. El instalador de PEAR 1.9.2 y versiones anteriores permite a los usuarios locales sobreescribir archivos de su elección a través de un ataque de enlace simbólico ("symlink attack") en el fichero package.xml. Relacionado con los directorios (1) download_dir, (2) cache_dir, (3) tmp_dir y (4) pear-build-download. NOTA: esta vulnerabilidad existe debido a una solución incompleta del CVE-2011-1072. • http://openwall.com/lists/oss-security/2011/02/28/5 http://openwall.com/lists/oss-security/2011/03/01/4 http://openwall.com/lists/oss-security/2011/03/01/5 http://openwall.com/lists/oss-security/2011/03/01/7 http://openwall.com/lists/oss-security/2011/03/01/8 http://openwall.com/lists/oss-security/2011/03/01/9 http://pear.php.net/bugs/bug.php?id=18056 https://exchange.xforce.ibmcloud.com/vulnerabilities/65911 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 3.3EPSS: 0%CPEs: 26EXPL: 1

CVE-2011-1072 – php-pear: symlink vulnerability in PEAR installer

https://notcve.org/view.php?id=CVE-2011-1072

The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. El instalador de PEAR en versiones anteriores a la 1.9.2 permite a usuarios locales sobreescribir ficheros de su elección a través de un ataque de enlace simbólico ("symlink attack") en el fichero package.xml. Relacionado con los directorios (1) download_dir, (2) cache_dir, (3) tmp_dir y (4) pear-build-download. Una vulnerabilidad distinta a la CVE-2007-2519. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164 http://news.php.net/php.pear.cvs/61264 http://openwall.com/lists/oss-security/2011/02/28/12 http://openwall.com/lists/oss-security/2011/02/28/3 http://openwall.com/lists/oss-security/2011/02/28/5 http://openwall.com/lists/oss-security/2011/03/01/4 http://openwall.com/lists/oss-security/2011/03/01/5 http://openwall.com/lists/oss-security/2011/03/01/7 http://openwall.com/lists/oss • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 10.0EPSS: 1%CPEs: 11EXPL: 0

CVE-2009-4024

https://notcve.org/view.php?id=CVE-2009-4024

Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem. La vulnerabilidad de inyección de argumentos en la función ping en el archivo Ping.php en el paquete Net_Ping anterior a versión 2.4.5 para PEAR, permite a los atacantes remotos ejecutar comandos de shell arbitrarios por medio del parámetro host. NOTA: esto también se ha notificado como un problema del metacarácter de shell. • http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory http://pear.php.net/advisory20091114-01.txt http://pear.php.net/package/Net_Ping/download/2.4.5 http://secunia.com/advisories/37451 http://secunia.com/advisories/37502 http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669&pathrev=290669 http://www.debian.org/security/2009/dsa-1949 http://www.securityfocus.com/bid/37093 http://www.vupen.com/english/ad • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0

CVE-2009-4025

https://notcve.org/view.php?id=CVE-2009-4025

Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección de argumento en la función traceroute en el paquete Net_Traceroute anterior a v0.21.2 para PEAR, permite a atacantes remotos ejecutar comandos de su elección a través del parámetro host. NOTA: algunos de estos detalles se han obtenido de información de terceros. • http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory http://osvdb.org/60515 http://pear.php.net/advisory20091114-01.txt http://pear.php.net/package/Net_Traceroute/download/0.21.2 http://secunia.com/advisories/37497 http://secunia.com/advisories/37503 http://security.gentoo.org/glsa/glsa-200911-06.xml http://www.openwall.com/lists/oss-security/2009/11/23/8 http://www.securityfocus.com/bid/37094 http://www.vupen.com/english/advisor • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 5.1EPSS: 1%CPEs: 21EXPL: 0

CVE-2005-4154

https://notcve.org/view.php?id=CVE-2005-4154

Unspecified vulnerability in PEAR installer 1.4.2 and earlier allows user-assisted attackers to execute arbitrary code via a crafted package that can execute code when the pear command is executed or when the Web/Gtk frontend is loaded. Vulnerabilidad no especificad en el PEAR installer 1.4.2 y anteriores permite a atacantes con la implicación de los usuarios ejecutar código de su elección mediante un paquete artesanal que puede ejecutar cóidog cuando el comando 'pear' es ejecutado cuando el frontal Web/Gtk es cargado. • http://pear.php.net/advisory-20051104.txt http://secunia.com/advisories/17563 http://securitytracker.com/alerts/2005/Nov/1015161.html http://www.vupen.com/english/advisories/2005/2444 https://exchange.xforce.ibmcloud.com/vulnerabilities/23021 •