Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CVE-2025-30091

High

9.4/10

Summary

In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: LOW

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

References

Advisory Timeline

Published Mar 25, 2025

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CVE-2025-30091

Summary

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS