CVE-2018-13981

Name of the Vulnerable Software and Affected Versions Zeta Producer Desktop CMS versions prior to 14.2.1

Description The issue allows for unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files. This is possible because the formmailer widget blocks .php files but not .php5 or .phtml files, which can be exploited. The vulnerability is related to the /assets/php/formmailer/SendEmail.php and /assets/php/formmailer/functions.php files.

Recommendations For versions prior to 14.2.1, update to version 14.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /assets/php/formmailer/ directory or disabling the formmailer widget until a patch is applied. Avoid using the formmailer widget to handle file uploads until the issue is resolved.