CVE-2019-18873
Last modified
CVE-2019-18873 is a critical-severity vulnerability rated 9/10 on the CVSS scale. FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. EPSS estimates a 8.15% chance of exploitation in the next 30 days.
Description
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fudforum | Fudforum | 3.0.9 |
References
- https://github.com/fuzzlove/FUDforum-XSS-RCEExploit, Third Party Advisory
- https://sourceforge.net/p/fudforum/code/6321/Third Party Advisory
- https://github.com/fuzzlove/FUDforum-XSS-RCEExploit, Third Party Advisory
- https://sourceforge.net/p/fudforum/code/6321/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-18873?
How severe is CVE-2019-18873?
How do I fix CVE-2019-18873?
Are you affected by CVE-2019-18873?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST