CVE-2005-1921 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2005-1921

CVE-2005-1921

July 01, 2005

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

Related Resources (51)

http://pear.php.net/package/XML_RPC/download/1.3.1

http://www.novell.com/linux/security/advisories/2005_18_sr.html

http://secunia.com/advisories/15872

http://secunia.com/advisories/15883

http://secunia.com/advisories/17674

http://secunia.com/advisories/16693

http://secunia.com/advisories/16001

http://secunia.com/advisories/15904

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11294

http://securitytracker.com/id?1015336

http://www.debian.org/security/2005/dsa-747

http://secunia.com/advisories/15957

http://www.novell.com/linux/security/advisories/2005_41_php_pear.html

http://www.ampache.org/announce/3_3_1_2.php

http://secunia.com/advisories/15895

http://secunia.com/advisories/15922

http://www.hardened-php.net/advisory-022005.php

http://secunia.com/advisories/15903

http://secunia.com/advisories/15944

http://secunia.com/advisories/18003

http://marc.info/?l=bugtraq&m=112605112027335&w=2

http://secunia.com/advisories/15947

http://www.securityfocus.com/bid/14088

http://secunia.com/advisories/15852

https://people.canonical.com/~ubuntu-security/cve/CVE-2005-1921

http://marc.info/?l=bugtraq&m=112015336720867&w=2

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A350

http://www.debian.org/security/2005/dsa-789

http://security.gentoo.org/glsa/glsa-200507-06.xml

http://www.mandriva.com/security/advisories?name=MDKSA-2005:109

http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt

http://www.redhat.com/support/errata/RHSA-2005-564.html

http://www.debian.org/security/2005/dsa-745

http://secunia.com/advisories/15916

http://secunia.com/advisories/15855

http://secunia.com/advisories/15884

http://secunia.com/advisories/16339

http://security.gentoo.org/glsa/glsa-200507-01.xml

http://sourceforge.net/project/showfiles.php?group_id=87163

http://www.gulftech.org/?node=research&article_id=00087-07012005

http://security.gentoo.org/glsa/glsa-200507-07.xml

http://www.vupen.com/english/advisories/2005/2827

http://www.securityfocus.com/archive/1/419064/100/0/threaded

http://sourceforge.net/project/shownotes.php?release_id=338803

http://secunia.com/advisories/15861

http://marc.info/?l=bugtraq&m=112008638320145&w=2

http://www.debian.org/security/2005/dsa-746

http://secunia.com/advisories/15917

http://secunia.com/advisories/17440

http://www.novell.com/linux/security/advisories/2005_49_php.html

http://secunia.com/advisories/15810

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

CVSS v2

Base Score:

7.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

EPSS

Base Score:

86.15