VDB
CVE-2018-1999022
CVE-2018-1999022
PUBLISHED
PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15.
EPSS 1.33% · 80.3th percentile
Risk Scores
EPSS Score
1.33%
80.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | civicrm | *, 0, 5.18.1+dfsg-1 |
| Ubuntu:22.04:LTS | civicrm | 0, 5.33.2+dfsg1-1, 5.33.2+dfsg1-1build1 |
| Ubuntu:16.04:LTS | civicrm | *, 4.7.1+dfsg-2ubuntu1, 4.7.1+dfsg-2 |
| Ubuntu:18.04:LTS | civicrm | 0, 4.7.23+dfsg-1ubuntu1, 4.7.24+dfsg-1ubuntu1 |
Exploit Intelligence
Timeline
- Jul 23, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-1999022 third-party-advisory
- http://blog.pear.php.net/2018/07/19/security-vulnerability-announcement-html_quickform/ third-party-advisory
- https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quickform third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-1999022 third-party-advisory