Vulnerability Details : CVE-2015-10009
A vulnerability was found in nterchange up to 4.1.0. It has been rated as critical. This issue affects the function getContent of the file app/controllers/code_caller_controller.php. The manipulation of the argument q with the input %5C%27%29;phpinfo%28%29;/* leads to code injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.1 is able to address this issue. The patch is named fba7d89176fba8fe289edd58835fe45080797d99. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217187.
Products affected by CVE-2015-10009
- cpe:2.3:a:nonfiction:nterchange:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-10009
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-10009
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.2
|
MEDIUM | AV:A/AC:L/Au:S/C:P/I:P/A:P |
5.1
|
6.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | 2024-02-29 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2015-10009
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: cna@vuldb.com (Primary)
References for CVE-2015-10009
-
https://vuldb.com/?id.217187
Login requiredThird Party Advisory
-
https://github.com/nonfiction/nterchange_backend/commit/fba7d89176fba8fe289edd58835fe45080797d99
Addressing TLM vulnerability · nonfiction/nterchange_backend@fba7d89 · GitHubPatch;Third Party Advisory
-
https://vuldb.com/?ctiid.217187
CVE-2015-10009 | nterchange code_caller_controller.php getContent code injectionThird Party Advisory
-
https://github.com/nonfiction/nterchange_backend/releases/tag/4.1.1
Release 4.1.1 · nonfiction/nterchange_backend · GitHubRelease Notes;Third Party Advisory
Jump to