CVE-2013-5036

Published: May 27, 2014Modified: May 6, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers/api/v1_controller.rb.

Affected (1)

Products: Squash: Square Squash

Squash

1 product

Square Squash

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Squash Square Squash	All versions

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (10)

http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/

Source: cve@mitre.org

http://osvdb.org/95992

Source: cve@mitre.org

http://www.exploit-db.com/exploits/27530

Source: cve@mitre.org

Exploit

https://exchange.xforce.ibmcloud.com/vulnerabilities/86335

Source: cve@mitre.org

https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5

Source: cve@mitre.org

ExploitPatch

http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/