Vulnerability Details CVE-2006-3208
Direct static code injection vulnerability in Ultimate PHP Board (UPB) 1.9.6 and earlier allows remote authenticated administrators to execute arbitrary PHP code via multiple unspecified "configuration fields" in (1) admin_chatconfig.php, (2) admin_configcss.php, (3) admin_config.php, or (4) admin_config2.php, which are stored as configuration settings. NOTE: this issue can be exploited by remote attackers by leveraging other vulnerabilities in UPB.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.4%
CVSS Severity
CVSS v2 Score 6.5
References
- http://securityreason.com/securityalert/1138
- http://www.kliconsulting.com/users/mbrooks/UPB_0-day.txt
- http://www.securityfocus.com/archive/1/437875/100/0/threaded
- http://securityreason.com/securityalert/1138
- http://www.kliconsulting.com/users/mbrooks/UPB_0-day.txt
- http://www.securityfocus.com/archive/1/437875/100/0/threaded
Products affected by CVE-2006-3208
-
cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8
-
cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.8.2
-
cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9
-
cpe:2.3:a:ultimate_php_board:ultimate_php_board:1.9.6