CVE-2014-1683

Name of the Vulnerable Software and Affected Versions SkyBlueCanvas CMS versions prior to 1.1 r248-04

Description The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the name, email, subject, or message parameter to "index.php" when the pid parameter is 4. This is due to a problem in the bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php.

Recommendations For SkyBlueCanvas CMS versions prior to 1.1 r248-04, update to version 1.1 r248-04 or later to resolve the issue. As a temporary workaround, consider restricting access to the bashMail function in the contacts module to minimize the risk of exploitation. Avoid using the name, email, subject, or message parameters in the affected "index.php" endpoint when the pid parameter is 4 until the issue is resolved.