CVE-2009-4137

EPSS 4.88%
Veröffentlicht 24.12.2009 16:30:00
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Matomo ≫ Matomo Version0.2.25

Matomo ≫ Matomo Version0.2.26

Matomo ≫ Matomo Version0.2.27

Matomo ≫ Matomo Version0.2.28

Matomo ≫ Matomo Version0.2.29

Matomo ≫ Matomo Version0.2.30

Matomo ≫ Matomo Version0.2.31

Matomo ≫ Matomo Version0.2.32

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.88%	0.885

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://dev.piwik.org/trac/changeset/1637

Vendor Advisory

http://piwik.org/blog/2009/12/piwik-response-to-shocking-news-in-php-exploitation/

Vendor Advisory

http://www.openwall.com/lists/oss-security/2009/12/09/2

http://www.openwall.com/lists/oss-security/2009/12/10/1

http://www.openwall.com/lists/oss-security/2009/12/14/2

http://www.sektioneins.de/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/

http://www.suspekt.org/2009/12/09/advisory-032009-piwik-cookie-unserialize-vulnerability/

http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf

https://nvd.nist.gov/vuln/detail/CVE-2009-4137

CVE Source (NVD)