← back
CVE-2006-5137

CVE-2006-5137

EPSS 2.1%
Multiple direct static code injection vulnerabilities in Groupee UBB.threads 6.5.1.1 allow remote attackers to (1) inject PHP code via a theme[] array parameter to admin/doedittheme.php, which is injected into includes/theme.inc.php; (2) inject PHP code via a config[] array parameter to admin/doeditconfig.php, and then execute the code via includes/config.inc.php; and inject a reference to PHP code via a URL in the config[path] parameter, and then execute the code via (3) dorateuser.php, (4) calendar.php, and unspecified other scripts.
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/2457unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://securityreason.com/securityalert/1676https://exchange.xforce.ibmcloud.com/vulnerabilities/29274http://www.securityfocus.com/archive/1/447359/100/0/threadedhttp://www.securityfocus.com/bid/20266