CVE-2018-19180

Name of the Vulnerable Software and Affected Versions YUNUCMS version 1.1.5

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by placing the code in the DB PREFIX field, which is then written to database.php, when the index.php?s=index/install/setup2 endpoint is accessed and the install.lock file is not present.

Recommendations For YUNUCMS version 1.1.5, as a temporary workaround, consider restricting access to the index.php?s=index/install/setup2 endpoint until a patch is available. Additionally, ensure the install.lock file is present to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.