CVE-2014-8877

Name of the Vulnerable Software and Affected Versions CM Downloads Manager plugin versions prior to 2.0.4

Description The issue allows remote attackers to execute arbitrary PHP code. This is achieved via the CMDsearch parameter to the "cmdownloads/" endpoint, which is processed by the PHP create function function.

Recommendations For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "cmdownloads/" endpoint or disabling the alterSearchQuery function in the CmdownloadController.php file until a patch is available. Avoid using the CMDsearch parameter in the affected endpoint until the issue is resolved.