CVE-2013-10070
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| php-charts | php-charts | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
PHP-Charts v1.0 has a vulnerability in the wizard/url.php file where user-supplied GET parameter names are passed directly to the eval() function without any sanitization. This allows a remote attacker to craft a request with specially designed parameter names containing base64-encoded PHP code, which gets executed on the server. This leads to arbitrary PHP code execution and command execution on the web server.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary system-level commands on the host running PHP-Charts. This can lead to a full compromise of the host system, including unauthorized access, data theft, data modification, or complete control over the affected server.