CVE-2011-4451 - libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows r

CVE-2011-4451

Summary

libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter

References

http://wush.net/trac/wikka/ticket/1098

Vulnerable Configurations

cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 11-04-2024 - 00:48)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

d2sec via4

name	WikkaWiki 1.3.1 SQL Injection
url	http://www.d2sec.com/exploits/wikkawiki_1.3.1_sql_injection.html

refmap via4

misc

http://wush.net/trac/wikka/ticket/1098

Last major update

11-04-2024 - 00:48

Published

05-09-2012 - 20:55

Last modified

11-04-2024 - 00:48