CVE-2008-1866

Published: Apr 17, 2008Modified: Apr 23, 2026

9.0

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability: 8.0 / Impact: 10.0

Source: NVD

Description

admin/modif_config.php in Blog Pixel Motion (aka PixelMotion) does not require admin authentication, which allows remote authenticated users to upload arbitrary PHP scripts in a ZIP archive, which is written to templateZip/ and then automatically extracted under templates/ for execution via a direct request.

Affected (1)

Products: Pixel Motion: Pixel Motion Blog

1 product

Pixel Motion Blog

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pixel Motion Pixel Motion Blog	All versions

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (8)

http://www.securityfocus.com/bid/28646

Source: cve@mitre.org

Exploit

http://www.vupen.com/english/advisories/2008/1121/references

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/41670

Source: cve@mitre.org

https://www.exploit-db.com/exploits/5381

Source: cve@mitre.org

http://www.securityfocus.com/bid/28646

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.vupen.com/english/advisories/2008/1121/references

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/41670

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/5381

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.