Vulnerability Details : CVE-2013-5036
Public exploit exists!
The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers/api/v1_controller.rb.
Vulnerability category: Execute code
Products affected by CVE-2013-5036
- cpe:2.3:a:squash:square_squash:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-5036
91.93%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-5036
-
Squash YAML Code Execution
Disclosure Date: 2013-08-06First seen: 2020-04-26exploit/unix/webapp/squash_yaml_execThis module exploits a remote code execution vulnerability in the YAML request processor of the Squash application. Authors: - Charlie Eriksen
CVSS scores for CVE-2013-5036
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-5036
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-5036
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/86335
Squash YAML code execution CVE-2013-5036 Vulnerability Report
-
https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5
CodeClimate-recommended security fixes · SquareSquash/web@6d667c1 · GitHubExploit;Patch
-
http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/
Squash remote code execution vulnerability advisory | ceriksen.com
-
http://www.exploit-db.com/exploits/27530
Squash - YAML Code Execution (Metasploit) - Multiple remote ExploitExploit
Jump to