CVE-2024-39171
EUVD-2024-3785709.07.2024, 17:15
Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| phpvibe | phpvibe | 11.0.3 ≤ 𝑥 ≤ 11.0.46 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| phpvibe | phpvibe | 11.0.3 ≤ 𝑥 ≤ 11.0.46 | ADP |
Common Weakness Enumeration
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- CWE-35 - Path Traversal: '.../...//'The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.