Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2014-125116

Good to know:

icon

Date: July 25, 2025

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.

Severity Score

Related Resources (8)

https://nvd.nist.gov/vuln/detail/CVE-2014-125116
https://hybridauth.github.io/
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
https://www.exploit-db.com/exploits/34273
https://vulners.com/metasploit/MSF:EXPLOIT-UNIX-WEBAPP-HYBRIDAUTH_INSTALL_PHP_EXEC-
https://www.vulncheck.com/advisories/hybridauth-unauth-rce-via-config-injection
https://www.exploit-db.com/exploits/34390
https://www.mend.io/vulnerability-database/CVE-2014-125116

Severity Score

Weakness Type (CWE)

Missing Authentication for Critical Function

CWE-306

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/hybridauth/hybridauth.git - v2.2.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us