Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code.
Security readout for executives and security teams
Plain-English summary
Traq issue tracker versions 2.0 through 2.3 are reported vulnerable to unauthenticated remote code execution. An attacker may reach admin-only plugin functionality and run PHP code. For any exposed legacy Traq deployment, this is a server takeover risk.
Executive priority
Treat exposed Traq systems as urgent. The business risk is complete compromise of the hosting server, but the likely footprint is narrow because this is legacy software.
Technical view
The issue combines missing effective authorization enforcement in admincp/common.php with code injection through plugins.php. The CVE maps to CWE-306 and CWE-94, has CVSS 4.0 score 10, and references public exploit writeups and modules. A v2.3.1 release is cited as the patch source.
Likely exposure
Exposure is likely limited to old Traq Project issue tracker deployments, especially internet-facing or forgotten internal installs. Evidence does not support broad exposure across unrelated products.
Exploitation context
Public exploit references exist, including Exploit-DB and Metasploit material. The CVE is not listed as KEV in the provided bundle, so active exploitation should not be asserted from these sources alone.
Researcher notes
Source metadata is slightly inconsistent: the description names versions 2.0 through 2.3, while one affected entry lists version 2.0. Validate installed version and patch state before reporting exposure. Avoid inferring active exploitation without KEV or incident evidence.
Mitigation direction
Find all Traq installations and confirm their versions.
Upgrade affected Traq 2.0 through 2.3 systems to v2.3.1 or later guidance.
Restrict network access to Traq until remediation is complete.
Review vendor or project guidance before applying compensating controls.
Retire unsupported Traq deployments where upgrade is not practical.
Validation and detection
Check asset inventory for Traq issue tracker deployments.
Confirm installed Traq version against the affected 2.0 through 2.3 range.
Review web logs for unexpected admincp or plugin management access.
Verify the system is updated to the cited v2.3.1 release.
Confirm exposed instances are no longer publicly reachable if not required.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
7Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.