CVE-2013-3631

Published Nov 2, 2013

Last updated 11 years ago

Overview

Description: NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.
Source: cret@cert.org
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 6
Impact score: 6.4
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-94

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nas4free:nas4free:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E8E1DD2-0D21-4C89-BC67-9204868E4E82",
            "versionEndIncluding": "9.1.0.1.804"
          },
          {
            "criteria": "cpe:2.3:a:nas4free:nas4free:9.1.0.1.798:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8B60C783-E8E7-4633-91F2-BB69537FFF1F"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References