CVE-2018-17836

Name of the Vulnerable Software and Affected Versions JTBC(PHP) version 3.0.1.6

Description An issue allows remote attackers to execute arbitrary PHP code. This can be achieved by using a "/console/file/manage.php?type=action&action=addfile&path=..%2F" substring to upload a file, in conjunction with a multipart/form-data PHP payload.

Recommendations For JTBC(PHP) version 3.0.1.6, consider restricting access to the /console/file/manage.php endpoint until a fix is available. Avoid using the type, action, and path parameters in this endpoint to minimize the risk of exploitation.