CVE-2018-19290

Published: Nov 30, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.

Affected (1)

Products: Budabot: Budabot

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Budabot Budabot	From 0.6 to 4.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

http://packetstormsecurity.com/files/150391/Budabot-4.0-Denial-Of-Service.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2018/Nov/44

Source: cve@mitre.org

ExploitMailing ListThird Party Advisory

http://packetstormsecurity.com/files/150391/Budabot-4.0-Denial-Of-Service.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2018/Nov/44

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

Timeline

No history available yet.