Vulnerability Details CVE-2014-8791
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.524
EPSS Ranking 97.8%
CVSS Severity
CVSS v2 Score 6.0
References
- http://karmainsecurity.com/KIS-2014-13
- http://packetstormsecurity.com/files/129309/Tuleap-7.6-4-PHP-Object-Injection.html
- http://seclists.org/fulldisclosure/2014/Nov/101
- http://www.securityfocus.com/archive/1/534105/100/0/threaded
- http://www.securityfocus.com/bid/71335
- http://karmainsecurity.com/KIS-2014-13
- http://packetstormsecurity.com/files/129309/Tuleap-7.6-4-PHP-Object-Injection.html
- http://seclists.org/fulldisclosure/2014/Nov/101
- http://www.securityfocus.com/archive/1/534105/100/0/threaded
- http://www.securityfocus.com/bid/71335