TWiki.Configure.TYPEOF.Parameter.Command.Execution
Description
TWiki is prone to a remote command-execution vulnerability. This flaw is found in the configure script in TWiki 4.0.0 through 4.0.4 and is caused due to an input validation error. This vulnerability allows remote attackers to execute arbitrary Perl code via an HTTP POST request containing a parameter name starting with "TYPEOF". This vulnerability can be exploited by remote attackers to inject and execute arbitrary shell commands with the privileges of the web server.
Affected Products
TWiki 4.0.0 - 4.0.4
Impact
The execution of arbitrary code on the system.
Recommended Actions
The vendor has released an advisory and hotfix to address this issue. More information about this advisory can be found at http://twiki.org/cgi-bin/view/Codev/SecurityAlertCmdExecWithConfigure
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |
Version Updates
Date | Version | Detail |
---|---|---|
2023-08-01 | 25.612 | Name:Twiki. Configure. TYPEOF. Parameter. Command. Execution:TWiki. Configure. TYPEOF. Parameter. Command. Execution |
2020-12-11 | 16.978 |