CVE-2018-17827

Name of the Vulnerable Software and Affected Versions HisiPHP version 1.0.8

Description The issue allows remote attackers to execute arbitrary PHP code. This is achieved by editing a plugin's name to contain the malicious code, which is then injected into the app/admin/model/AdminPlugins.php file.

Recommendations For HisiPHP version 1.0.8, consider restricting access to the plugin editing functionality until a patch is available. As a temporary workaround, avoid using the plugin name field to inject malicious PHP code.