desktop.php in eyeOS 0.8.9 and previous versions tests for the existence of the _SESSION variable before calling the session_start function, which allows remote malicious users to execute arbitrary PHP code and possibly conduct other attacks by modifying critical assumed-immutable variables, as demonstrated using PHP code in the _SESSION[apps][eyeOptions.eyeapp][wrapup] variable.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
eyeos project eyeos 0.8.3 |
||
eyeos project eyeos 0.8.3_r1 |
||
eyeos project eyeos 0.8.7 |
||
eyeos project eyeos 0.8.8 |
||
eyeos project eyeos 0.8.2_r2 |
||
eyeos project eyeos 0.8.2_r3 |
||
eyeos project eyeos 0.8.5_r1 |
||
eyeos project eyeos 0.8.6 |
||
eyeos project eyeos 0.8 |
||
eyeos project eyeos 0.8.1 |
||
eyeos project eyeos 0.8.1_r1 |
||
eyeos project eyeos 0.8.3_r2 |
||
eyeos project eyeos 0.8.4 |
||
eyeos project eyeos 0.8.9 |
||
eyeos project eyeos 0.8.2 |
||
eyeos project eyeos 0.8.2_r1 |
||
eyeos project eyeos 0.8.4_r1 |
||
eyeos project eyeos 0.8.5 |