CVE-2018-5749

moderate-risk
Published 2018-01-23

install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter.

Do I need to act?

~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Premium Minecraft Servers List
Minecraft Servers List Lite

Affected Vendors

Premium Minecraft Servers List Project Minecraft Servers List Lite Project

References (2)

Exploit https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/
Exploit https://www.rastating.com/minecraft-servers-list-unauthenticated-shell-upload/
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 7/34 · Low