PHP.index.php.Script.Code.Injection
Description
This indicates an attempt to exploit a direct static code injection vulnerability in EJ3 TOPo.
The vulnerability is due to input validation errors in the "code/class_db_text.php" script. The script does not validate certain parameters (e.g. "descripcion" or "pais") before they are stored in a PHP script inside the "data" directory. This can be exploited by attackers to inject and execute arbitrary PHP code with the privileges of the web server.
Affected Products
EJ3 TOPo version 2.2.178 and prior.
Impact
System compromise: execution of arbitrary PHP code.
Recommended Actions
Currently we are not aware of any vendor supplied patches for this issue.
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |