CVE-2008-6938

CVE-2008-6938 is a medium-severity vulnerability in Holger Zimmermann Pi3web with a CVSS 2.0 base score of 4.3. Its EPSS exploit-prediction score of 26% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-20.

Key facts

Description

Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapi\users.txt.

Frequently asked questions

What is CVE-2008-6938?
Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapi\users.txt.
How severe is CVE-2008-6938?
CVE-2008-6938 has a CVSS 2.0 base score of 4.3, rated medium severity.
Is CVE-2008-6938 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 26% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2008-6938?
CVE-2008-6938 primarily affects Holger Zimmermann Pi3web. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2008-6938?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2008-6938 published?
CVE-2008-6938 was published on 2009-08-11 and last updated on 2026-06-16.

References

Affected products (5)

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →