CVE-2018-19896

Name of the Vulnerable Software and Affected Versions ThinkCMF version X2.2.2

Description The issue concerns a SQL Injection problem via the delete() function in SlideController.class.php. It can be exploited by an attacker with manager privileges through the ids[] parameter in a slide action.

Recommendations For ThinkCMF version X2.2.2, consider disabling the delete() function in SlideController.class.php until a patch is available to prevent exploitation via the ids[] parameter. Restrict access to the slide action for users with manager privileges to minimize the risk of exploitation.