cve/2018/CVE-2018-19290.md

### [CVE-2018-19290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19290)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.

### POC

#### Reference
- http://packetstormsecurity.com/files/150391/Budabot-4.0-Denial-Of-Service.html
- http://packetstormsecurity.com/files/150391/Budabot-4.0-Denial-Of-Service.html
- http://seclists.org/fulldisclosure/2018/Nov/44
- http://seclists.org/fulldisclosure/2018/Nov/44

#### Github
No PoCs found on GitHub currently.