Vulnerability Details : CVE-2014-1683
Public exploit exists!
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.
Vulnerability category: Overflow
Exploit prediction scoring system (EPSS) score for CVE-2014-1683
94.66%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-1683
-
SkyBlueCanvas CMS Remote Code Execution
Disclosure Date: 2014-01-28First seen: 2020-04-26exploit/unix/webapp/skybluecanvas_execThis module exploits an arbitrary command execution vulnerability in SkyBlueCanvas CMS version 1.1 r248-03 and below. Authors: - Scott Parish - xistence <xistence@0x90.nl>
CVSS scores for CVE-2014-1683
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2014-1683
-
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1683
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90670
SkyBlueCanvas index.php command execution CVE-2014-1683 Vulnerability Report
-
http://seclists.org/fulldisclosure/2014/Jan/159
Full Disclosure: Remote Command Injection Vulnerability in SkyBlueCanvas CMS
-
http://www.securityfocus.com/bid/65129
SkyBlueCanvas 'index.php' Multiple Remote Command Injection Vulnerabilities
-
http://www.exploit-db.com/exploits/31183
Skybluecanvas CMS 1.1 r248-03 - Remote Command Execution - PHP webapps Exploit
-
http://www.exploit-db.com/exploits/31432
Skybluecanvas CMS - Remote Code Execution (Metasploit) - Linux remote Exploit
-
http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html
SkyBlueCanvas CMS 1.1 r248-03 Command Injection ≈ Packet Storm
Products affected by CVE-2014-1683
- cpe:2.3:a:skybluecanvas:skybluecanvas:*:*:*:*:*:*:*:*