CVE-2018-19404

Name of the Vulnerable Software and Affected Versions YXcms version 1.4.7

Description The issue allows remote authenticated Administrators to execute any PHP code. This can be achieved by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and then visiting the /index.php?r=appmanage/index/onlineinstall&url= API endpoint followed by that URL. The issue is related to the onlineinstall and import functions.

Recommendations For YXcms version 1.4.7, as a temporary workaround, consider disabling the onlineinstall function until a patch is available. Restrict access to the import function to minimize the risk of exploitation. Avoid using the url parameter in the affected API endpoint until the issue is resolved.