Описание
Arbitrary Code Execution in Processwire
An issue found in Processwire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module.
Пакеты
Наименование
processwire/processwire
composer
Затронутые версииВерсия исправления
<= 3.0.210
Отсутствует
Связанные уязвимости
CVSS3: 7.2
nvd
около 2 лет назад
An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code.