Vulnerability Description
An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the database_host parameter if the installer remains present in its original directory after installation is completed.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tiny Issue Project | Tiny Issue | 1.3.1 |
| Pixeline | Bugs | <= 1.3.2c |
Related Weaknesses (CWE)
References
- https://github.com/mikelbring/tinyissue/issues/237ExploitThird Party Advisory
- https://github.com/pixeline/bugs/commit/9d2d3fcdea22e94f7b497f6ed83791ab3a31ee41PatchThird Party Advisory
- https://github.com/mikelbring/tinyissue/issues/237ExploitThird Party Advisory
- https://github.com/pixeline/bugs/commit/9d2d3fcdea22e94f7b497f6ed83791ab3a31ee41PatchThird Party Advisory
FAQ
What is CVE-2019-9002?
CVE-2019-9002 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the database_host parameter if the inst...
How severe is CVE-2019-9002?
CVE-2019-9002 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-9002?
Check the references section above for vendor advisories and patch information. Affected products include: Tiny Issue Project Tiny Issue, Pixeline Bugs.