Vulnerabilities > CVE-2014-1216 - Remote Code Execution vulnerability in Fitnesse
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page. Per: https://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | Fitnesse Wiki - Remote Command Execution Vulnerability. CVE-2014-1216. Remote exploit for windows platform |
| file | exploits/windows/remote/32568.rb |
| id | EDB-ID:32568 |
| last seen | 2016-02-03 |
| modified | 2014-03-28 |
| platform | windows |
| port | 80 |
| published | 2014-03-28 |
| reporter | SecPod Research |
| source | https://www.exploit-db.com/download/32568/ |
| title | Fitnesse Wiki - Remote Command Execution Vulnerability |
| type | remote |
Packetstorm
data source https://packetstormsecurity.com/files/download/125928/fitnesse_wiki_rce.rb.txt id PACKETSTORM:125928 last seen 2016-12-05 published 2014-03-28 reporter Veerendra G.G source https://packetstormsecurity.com/files/125928/Fitnesse-Wiki-Remote-Command-Execution.html title Fitnesse Wiki Remote Command Execution data source https://packetstormsecurity.com/files/download/125481/fitnessewiki-exec.txt id PACKETSTORM:125481 last seen 2016-12-05 published 2014-03-02 reporter Jerzy Kramarz source https://packetstormsecurity.com/files/125481/Fitnesse-Wiki-20131110-Remote-Command-Execution.html title Fitnesse Wiki 20131110 Remote Command Execution
Seebug
bulletinFamily exploit description Bugtraq ID:65921 CVE ID:CVE-2014-1216 FitNesse是一套软件开发协作工具。 Fitnesse Wiki不正确校验已编辑页面语法参数数据,允许远程攻击者利用漏洞提交特殊的请求以应用程序上下文执行任意命令。 0 Fitnesse Wiki v20131110 目前没有详细解决方案提供: http://www.fitnesse.org id SSV:61648 last seen 2017-11-19 modified 2014-03-05 published 2014-03-05 reporter Root source https://www.seebug.org/vuldb/ssvid-61648 title Fitnesse远程代码执行漏洞 bulletinFamily exploit description No description provided by source. id SSV:85849 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-85849 title Fitnesse Wiki Remote Command Execution Vulnerability