CVE-2017-11756

Name of the Vulnerable Software and Affected Versions Earcms Ear Music versions prior to 4.1 build 20170710

Description The issue allows remote authenticated users to execute arbitrary PHP code. This can be achieved by modifying the allowable music-upload extensions in admin.php?iframe=config upload to include .php, in addition to .mp3 and .m4a, and then uploading the code using user.php/music/add/.

Recommendations For Earcms Ear Music versions prior to 4.1 build 20170710, as a temporary workaround, consider restricting access to the admin.php?iframe=config upload endpoint and the user.php/music/add/ endpoint to prevent arbitrary PHP code execution until a patch is available. Avoid using the music upload feature with .php extensions in the affected versions.