Vulnerability Description
The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Geshi | Geshi | <= 1.0.8 |
Related Weaknesses (CWE)
References
- http://osvdb.org/49488
- http://secunia.com/advisories/32559Vendor Advisory
- http://sourceforge.net/project/shownotes.php?release_id=637321Patch
- http://www.openwall.com/lists/oss-security/2008/11/10/8
- http://www.securityfocus.com/bid/32070Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46271
- http://osvdb.org/49488
- http://secunia.com/advisories/32559Vendor Advisory
- http://sourceforge.net/project/shownotes.php?release_id=637321Patch
- http://www.openwall.com/lists/oss-security/2008/11/10/8
- http://www.securityfocus.com/bid/32070Patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46271
FAQ
What is CVE-2008-5186?
CVE-2008-5186 is a vulnerability with a CVSS score of 7.5 (HIGH). The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the de...
How severe is CVE-2008-5186?
CVE-2008-5186 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-5186?
Check the references section above for vendor advisories and patch information. Affected products include: Geshi Geshi.