Detections
Analytics
Piwik < 0.5 unserialize() PHP Code Execution Vulnerability
high Nessus Network Monitor Plugin ID 5263
Synopsis
The remote web server is hosting a PHP application that is vulnerable to a remote code execution vulnerability.Description
The remote web server is hosting Piwik, a web analytics application written in PHP. The installed version is earlier than 0.5. Such versions are potentially affected by a remote PHP code execution vulnerability because the application unserializes data from user supplied cookies. An attacker could send a specially crafted cookie which, when unserialized, could be used to upload arbitrary files or possibly execute arbitrary PHP code.Solution
Upgrade to Piwik 0.5 or later.See Also
http://piwik.org/blog/2009/12/piwik-response-to-shocking-news-in-php-exploitation
Plugin Details
Severity: High
ID: 5263
Family: CGI
Published: 12/9/2009
Updated: 3/6/2019
Risk Information
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.2
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 7.3
Temporal Score: 6.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:piwik:piwik
Patch Publication Date: 12/9/2009
Vulnerability Publication Date: 12/9/2009
Reference Information
BID: 37312