Lucene search

GitHub_MCVELIST:CVE-2020-11084

HistoryJul 14, 2020 - 9:15 p.m.

CVE-2020-11084 Command Injection in iPear

2020-07-1421:15:13

CWE-78

GitHub_M

www.cve.org

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

21.9%

JSON

In iPear, the manual execution of the eval() function can lead to command injection. Only PCs where commands are manually executed via “For Developers” are affected. This function allows executing any PHP code within iPear which may change, damage, or steal data (files) from the PC.

CNA Affected

[
  {
    "product": "iPear",
    "vendor": "yaBobJonez",
    "versions": [
      {
        "status": "affected",
        "version": ">= 0.6.14, <= 0.6.15"
      },
      {
        "status": "affected",
        "version": "= 0.7.0"
      }
    ]
  }
]

References

github.com/yaBobJonez/iPear/security/advisories/GHSA-4xvp-35fx-hjjj

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

21.9%

JSON

Related for CVELIST:CVE-2020-11084