Vulnerability Details : CVE-2009-4487
nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
Exploit prediction scoring system (EPSS) score for CVE-2009-4487
Probability of exploitation activity in the next 30 days: 0.66%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 77 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-4487
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2009-4487
-
http://www.securityfocus.com/archive/1/508830/100/0/threaded
SecurityFocusBroken Link;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/37711
nginx Terminal Escape Sequence in Logs Command Injection VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
Exploit;Patch;Third Party Advisory
Products affected by CVE-2009-4487
- cpe:2.3:a:f5:nginx:0.7.64:*:*:*:*:*:*:*