CVE-2018-19520

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-19520

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19520.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-19520

Published

2018-11-25T20:29:00Z

Modified

2024-11-21T03:58:05Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a checkbad function in an attempt to block certain PHP functions such as eval, but does not prevent use of pregreplace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type: GIT
Repo: https://github.com/php/php-src
Events: Introduced

2c1949d4e7fb4248c2a6b95b45094951c3607c8d

Last affected

b0822792c8d4c8d535ea1beb8ea63025496668e7