Vulnerability Details : CVE-2010-2099
bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of the toHTML method.
Exploit prediction scoring system (EPSS) score for CVE-2010-2099
Probability of exploitation activity in the next 30 days: 1.64%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 87 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-2099
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2010-2099
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-2099
-
http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html
MOPS-2010-035: e107 BBCode Remote PHP Code Execution Vulnerability « the Month of PHP SecurityExploit
-
http://www.securityfocus.com/bid/40252
e107 BBCode Arbitrary PHP Code Execution VulnerabilityExploit
Products affected by CVE-2010-2099
- cpe:2.3:a:e107:e107:*:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.545:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.603:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_10:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_11:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.554:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_15a:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_12:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_13:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_14:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6_15:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.610:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.615:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.615a:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.611:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.612:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.613:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.614:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.616:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.607:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.608:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.600:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.601:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.602:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.609:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.617:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.604:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.605:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.606:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6172:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6171:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6174:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6173:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.6175:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.13:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.15:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.17:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.18:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.553:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.551:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.552:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.547:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.554:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.555:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.16:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.548:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.549:beta:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:e107:e107:0.7.19:*:*:*:*:*:*:*