Detections
Analytics
TWiki < 5.1.4 MAKETEXT Variable Tilde Character Command Injection
critical Nessus Plugin ID 64876
Language:
Synopsis
The remote web server hosts a CGI application that is affected by a command injection vulnerability.Description
According to its version number, the instance of TWiki running on the remote host is affected by a command injection vulnerability. The '%MAKETEXT{}%' variable fails to properly sanitize user-supplied input. A remote attacker can exploit this issue to execute arbitrary shell commands on the remote host subject to the privileges of the web server user.Note that only TWiki installs with localization enabled are affected.
Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to TWiki version 5.1.4 or later. Alternatively, apply the hotfix referenced in the vendor advisory.See Also
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751
Plugin Details
Severity: Critical
ID: 64876
File Name: twiki_5_1_4.nasl
Version: 1.10
Type: remote
Family: CGI abuses
Published: 2/25/2013
Updated: 6/5/2024
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2013-1751
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:twiki:twiki
Required KB Items: Settings/ParanoidReport, installed_sw/TWiki
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 2/18/2013
Vulnerability Publication Date: 2/18/2013
Reference Information
CVE: CVE-2013-1751
BID: 58024