Strix
26.1K

CVE-2008-5186

UnknownEPSS 1.97%

Last modified

CVE-2008-5186 is a vulnerability of currently unknown severity. The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. EPSS estimates a 1.97% chance of exploitation in the next 30 days.

Description

The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path

Metrics

EPSS Probability
1.97%

77.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
GeshiGeshi<= 1.0.8
GeshiGeshi1.0.0
GeshiGeshi1.0.1
GeshiGeshi1.0.2
GeshiGeshi1.0.2_beta_1
GeshiGeshi1.0.3
GeshiGeshi1.0.4
GeshiGeshi1.0.5
GeshiGeshi1.0.6
GeshiGeshi1.0.7
GeshiGeshi1.0.7.1
GeshiGeshi1.0.7.2
GeshiGeshi1.0.7.3
GeshiGeshi1.0.7.4
GeshiGeshi1.0.7.5
GeshiGeshi1.0.7.6
GeshiGeshi1.0.7.7
GeshiGeshi1.0.7.8
GeshiGeshi1.0.7.9
GeshiGeshi1.0.7.10
GeshiGeshi1.0.7.11
GeshiGeshi1.0.7.12
GeshiGeshi1.0.7.13
GeshiGeshi1.0.7.14
GeshiGeshi1.0.7.15
GeshiGeshi1.0.7.16
GeshiGeshi1.0.7.17
GeshiGeshi1.0.7.18
GeshiGeshi1.0.7.19
GeshiGeshi1.0.7.20
GeshiGeshi1.0.7.21
GeshiGeshi1.0.7.22

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2008-5186?
The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path
How severe is CVE-2008-5186?
Severity scoring for CVE-2008-5186 is pending analysis. The EPSS model estimates a 1.97% probability of exploitation in the next 30 days.
How do I fix CVE-2008-5186?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-5186?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST