An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=<?php and admin/databack/bakup_tables.php?2=file_put_contents URIs because app/system/databack/admin/index.class.php creates bakup_tables.php temporarily.

Published : 2019-02-11 04:29 Updated : 2019-02-11 17:59

CVSS Score More info
Score 6.8 / 10
Vendor Product Version URI
Metinfo Metinfo 6.1.3 cpe:/a:metinfo:metinfo:6.1.3
  1. Metinfo (1) Search CVE
    1. Metinfo (1) Search CVE
      1. 6.1.3


ID Name Description Links
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. CVE

History of changes

Date Event
2019-02-11 17:59
2019-02-11 04:29