CVE-2011-4825

critical

Description

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.

References

http://www.zenphoto.org/trac/ticket/2005

http://www.phpmyfaq.de/advisory_2011-10-25.php

http://www.phpletter.com/en/DOWNLOAD/1/

http://www.exploit-db.com/exploits/18075

Details

Source: Mitre, NVD

Published: 2011-12-15

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.40905