CVE-2013-3631

CVSS V2 Medium 6 CVSS V3 None

Description

NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.

Overview

CVE ID
CVE-2013-3631

Assigner
cret@cert.org

Vulnerability Status
Analyzed

Published Version
2013-11-02T19:55:04

Last Modified Date
2013-11-05T14:56:57

Weakness Enumerations

CWE	URL
CWE-94	http://cwe.mitre.org/data/definitions/94.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:nas4free:nas4free::::::::	1	OR		9.1.0.1.804
cpe:2.3:a:nas4free:nas4free:9.1.0.1.798:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
SINGLE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
6

Severity
MEDIUM

Exploitability Score
6.8

Impact Score
6.4

References

Reference URL	Reference Tags
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats	Exploit
http://www.kb.cert.org/vuls/id/326830	US Government Resource

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2013-3631
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3631

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 10:40:18				Added to TrackCVE
2022-12-01 20:34:45	cert@cert.org	cret@cert.org	CVE Assigner	updated
2022-12-01 20:34:45	2013-11-02T19:55Z	2013-11-02T19:55:04	CVE Published Date	updated
2022-12-01 20:34:45		2013-11-05T14:56:57	CVE Modified Date	updated
2022-12-01 20:34:45		Analyzed	Vulnerability Status	updated