| Vulnerability Name: | CVE-2008-5619 (CCN-47301) | ||||||||
| Assigned: | 2008-12-12 | ||||||||
| Published: | 2008-12-12 | ||||||||
| Updated: | 2018-10-11 | ||||||||
| Summary: | html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. | ||||||||
| CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) 8.3 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
8.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-94 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-5619 Source: CONFIRM Type: UNKNOWN http://mahara.org/interaction/forum/topic.php?id=533 Source: OSVDB Type: UNKNOWN 53893 Source: CCN Type: SA33145 chuggnutt.com "HTML to Plain Text Conversion" PHP Class Code Execution Source: SECUNIA Type: UNKNOWN 33145 Source: CCN Type: SA33169 RoundCube Webmail Denial of Service and PHP Code Execution Source: SECUNIA Type: Vendor Advisory 33170 Source: CCN Type: SA34789 Mahara Cross-Site Scripting and PHP Code Execution Vulnerabilities Source: SECUNIA Type: UNKNOWN 34789 Source: CONFIRM Type: Vendor Advisory http://sourceforge.net/forum/forum.php?forum_id=898542 Source: CONFIRM Type: Exploit http://trac.roundcube.net/changeset/2148 Source: CCN Type: RoundCube Webmail Web site #1485618 (Break-in possiblity via html2text.php?) RoundCube Webmail Trac Source: MISC Type: Exploit http://trac.roundcube.net/ticket/1485618 Source: MLIST Type: UNKNOWN [oss-security] 20081212 CVE Request - roundcubemail Source: CCN Type: OSVDB ID: 50694 RoundCube Webmail bin/html2text.php preg_replace Function Remote PHP Code Execution Source: CCN Type: OSVDB ID: 51178 chuggnutt.com HTML to Plain Text Conversion PHP Class (class.html2text.inc) Arbitrary Code Execution Source: CCN Type: OSVDB ID: 53893 Mahara html2text HTML To Plain Text Conversion Arbitrary Code Execution Source: BUGTRAQ Type: UNKNOWN 20081222 POC for CVE-2008-5619 (roundcubemail PHP arbitrary code injection) Source: CCN Type: BID-32799 chuggnutt.com HTML to Plain Text Conversion Remote Code Execution Vulnerability Source: CCN Type: USN-791-1 Moodle vulnerabilities Source: VUPEN Type: UNKNOWN ADV-2008-3418 Source: VUPEN Type: UNKNOWN ADV-2008-3419 Source: XF Type: UNKNOWN webmail-html2text-code-execution(47301) Source: CONFIRM Type: UNKNOWN https://github.com/PHPMailer/PHPMailer/commit/8beacc646acb67c995aea10ac5585970efc7355a Source: EXPLOIT-DB Type: UNKNOWN 7549 Source: EXPLOIT-DB Type: UNKNOWN 7553 Source: FEDORA Type: UNKNOWN FEDORA-2008-11220 Source: FEDORA Type: UNKNOWN FEDORA-2008-11234 | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||