CVE-2018-17036

Опубликовано: 14 сент. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Ссылки

https://github.com/blackstar24/UCMS/blob/master/phpinfo.md
Exploit
Third Party Advisory
https://github.com/blackstar24/UCMS/blob/master/phpinfo.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ucms_project:ucms:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:ucms_project:ucms:1.6:*:*:*:*:*:*:*

EPSS

Процентиль: 66%

0.00513

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94

Связанные уязвимости

GHSA-g4cv-96p3-5rqp