{"api_version":"1","generated_at":"2026-04-23T21:00:08+00:00","cve":"CVE-2015-3638","urls":{"html":"https://cve.report/CVE-2015-3638","api":"https://cve.report/api/cve/CVE-2015-3638.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-3638","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-3638"},"summary":{"title":"CVE-2015-3638","description":"phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-07-21 14:29:00","updated_at":"2017-07-25 16:35:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2015/05/04/4","name":"[oss-security] 20150504 Re: CVE requests / Advisory: phpMyBackupPro","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"oss-security - Re: CVE requests / Advisory: phpMyBackupPro","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://openwall.com/lists/oss-security/2015/04/25/1","name":"[oss-security] 20150425 CVE requests / Advisory: phpMyBackupPro","refsource":"MLIST","tags":["Mailing List","Patch","Third Party Advisory"],"title":"oss-security - CVE requests / Advisory: phpMyBackupPro","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1032250","name":"1032250","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"phpMyBackupPro Bugs Lets Remote Users Inject SQL Commands and Remote Authenticated Users Execute Arbitrary Code and Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-3638","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-3638","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"3638","vulnerable":"1","versionEndIncluding":"2.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phpmybackuppro","cpe5":"phpmybackuppro","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2015-3638","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"1032250","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1032250"},{"name":"[oss-security] 20150425 CVE requests / Advisory: phpMyBackupPro","refsource":"MLIST","url":"http://openwall.com/lists/oss-security/2015/04/25/1"},{"name":"[oss-security] 20150504 Re: CVE requests / Advisory: phpMyBackupPro","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2015/05/04/4"}]}},"nvd":{"publishedDate":"2017-07-21 14:29:00","lastModifiedDate":"2017-07-25 16:35:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:phpmybackuppro:phpmybackuppro:*:*:*:*:*:*:*:*","versionEndIncluding":"2.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"3638","Ordinal":"80593","Title":"CVE-2015-3638","CVE":"CVE-2015-3638","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"3638","Ordinal":"1","NoteData":"phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.","Type":"Description","Title":null},{"CveYear":"2015","CveId":"3638","Ordinal":"2","NoteData":"2017-07-21","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"3638","Ordinal":"3","NoteData":"2017-07-21","Type":"Other","Title":"Modified"}]}}}