CVE Vulnerabilities

CVE-2018-17984

Incorrect Regular Expression

Published: Oct 04, 2018 | Modified: Nov 21, 2024
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4.6 MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.

Weakness

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Affected Software

Name Vendor Start Version End Version
Ispconfig Ispconfig * 3.1.13 (excluding)

Potential Mitigations

References