CVE: CVE-2002-1798

Export to Word

MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php.

Threat-Mapped Scoring

Score: 3.0

Priority: P2 - Serious (High)

S1 – Steal Customer Account Information

EPSS

Score: 0.06104
Percentile: 0.90352

CVSS Scoring

CVSS v3.1 Score: 9.1

Severity: CRITICAL

Mapped CWE(s)

CWE-425 : Direct Request ('Forced Browsing')

All CAPEC(s)

CAPEC-127: Directory Indexing
CAPEC-143: Detect Unpublicized Web Pages
CAPEC-144: Detect Unpublicized Web Services
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
CAPEC-87: Forceful Browsing

CAPEC(s) with Mapped TTPs

CAPEC-127: Directory Indexing
Mapped TTPs:
- T1083 : File and Directory Discovery
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
Mapped TTPs:
- T1565.002 : Transmitted Data Manipulation

Mapped ATT&CK TTPs

T1083 : File and Directory Discovery
Kill Chain: discovery
T1565.002 : Transmitted Data Manipulation
Kill Chain: impact

Malware

APTs Threat Group Associations

Campaigns

Operation Wocao
SolarWinds Compromise
Operation CuckooBees
Operation Honeybee
Operation Dream Job
C0015
Night Dragon
KV Botnet Activity

Affected Products

cpe:2.3:a:midicart:midicart_php:-:*:*:*:*:*:*:*
cpe:2.3:a:midicart:midicart_php_maxi:-:*:*:*:*:*:*:*
cpe:2.3:a:midicart:midicart_php_plus:-:*:*:*:*:*:*:*

← Back to Home