PHP.index.php.Script.Code.Injection

description-logoDescription

This indicates an attempt to exploit a direct static code injection vulnerability in EJ3 TOPo.
The vulnerability is due to input validation errors in the "code/class_db_text.php" script. The script does not validate certain parameters (e.g. "descripcion" or "pais") before they are stored in a PHP script inside the "data" directory. This can be exploited by attackers to inject and execute arbitrary PHP code with the privileges of the web server.

affected-products-logoAffected Products

EJ3 TOPo version 2.2.178 and prior.

Impact logoImpact

System compromise: execution of arbitrary PHP code.

recomended-action-logoRecommended Actions

Currently we are not aware of any vendor supplied patches for this issue.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)