Vulnerability Details CVE-2015-3640
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.0
References
Products affected by CVE-2015-3640
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.2
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.4
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.5
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.6
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.6.1
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.6.2
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.7
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:1.7.1
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.0
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.1
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.2
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.3
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.4
-
cpe:2.3:a:phpmybackuppro:phpmybackuppro:2.5