CVE-2018-19127

Name of the Vulnerable Software and Affected Versions PHPCMS 2008

Description A code injection issue in the /type.php file allows attackers to execute arbitrary code by writing PHP code to a cache file with a controllable filename. The PHP code is sent via the template parameter and is written to a data/cache template/*.tpl.php file, which includes a "<?php function " substring.

Recommendations For PHPCMS 2008, as a temporary workaround, consider restricting access to the /type.php file and the template parameter to minimize the risk of exploitation. Avoid using the template parameter in the affected /type.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.