Vulnerability Details : CVE-2013-3631
Public exploit exists!
NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.
Products affected by CVE-2013-3631
- cpe:2.3:a:nas4free:nas4free:*:*:*:*:*:*:*:*
- cpe:2.3:a:nas4free:nas4free:9.1.0.1.798:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-3631
64.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-3631
-
NAS4Free Arbitrary Remote Code Execution
Disclosure Date: 2013-10-30First seen: 2020-04-26exploit/multi/http/nas4free_php_execNAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well. Authors: - Brandon Perry <bpe
CVSS scores for CVE-2013-3631
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2013-3631
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-3631
-
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
Seven FOSS Tricks and Treats (Part Two)Exploit
-
http://www.kb.cert.org/vuls/id/326830
VU#326830 - NAS4Free version 9.1.0.1 contains a remote command execution vulnerabilityUS Government Resource
Jump to