CVE-2015-10141
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-07-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| derick_rethans | xdebug | 2.5.5 |
| derick_rethans | xdebug | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated OS command injection in Xdebug versions 2.5.5 and earlier. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without requiring authentication. An attacker can send a specially crafted eval command to execute arbitrary PHP code, which can include system-level functions like system() or passthru(), leading to full compromise of the host with the web server user's privileges.
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of the affected host system under the privileges of the web server user. An attacker can execute arbitrary code remotely without authentication, potentially allowing them to control the server, access sensitive data, or disrupt services.