CVE-2014-1683

EUVD-2014-1757
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
skybluecanvasskybluecanvas
𝑥
≤ 1.1_r248-03
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html
http://seclists.org/fulldisclosure/2014/Jan/159
http://secunia.com/advisories/56646
http://www.exploit-db.com/exploits/31183
http://www.exploit-db.com/exploits/31432
http://www.securityfocus.com/bid/65129
https://exchange.xforce.ibmcloud.com/vulnerabilities/90670
http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html
http://seclists.org/fulldisclosure/2014/Jan/159
http://secunia.com/advisories/56646
http://www.exploit-db.com/exploits/31183
http://www.exploit-db.com/exploits/31432
http://www.securityfocus.com/bid/65129
https://exchange.xforce.ibmcloud.com/vulnerabilities/90670