Vulnerability Description
install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Premium Minecraft Servers List Project | Premium Minecraft Servers List | < 2.0.4 |
| Minecraft Servers List Lite Project | Minecraft Servers List Lite | < 1.1 |
Related Weaknesses (CWE)
References
- https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/ExploitMitigationPatch
- https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/ExploitMitigationPatch
FAQ
What is CVE-2018-5749?
CVE-2018-5749 is a vulnerability with a CVSS score of 9.8 (CRITICAL). install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, w...
How severe is CVE-2018-5749?
CVE-2018-5749 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-5749?
Check the references section above for vendor advisories and patch information. Affected products include: Premium Minecraft Servers List Project Premium Minecraft Servers List, Minecraft Servers List Lite Project Minecraft Servers List Lite.