What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0.
Explanation of Vulnerability in Simple Terms
PDF 2 Post versions up to 2.4.0 contain a code injection vulnerability that allows authenticated users with low privileges to run arbitrary PHP code on the site. The vulnerability affects the entire system due to scope change. An attacker needs only a low-privilege account and network access to exploit it. Sites running affected versions should update immediately.
What an attacker can do
Run arbitrary PHP code on the site with full system access.
Potential impact on your site
Any low-privilege user account can compromise the entire site and access all data.
Conditions required to exploit
Attacker needs a low-privilege authenticated account and network access.
Key dates
External resources