CVE-2018-10235

Name of the Vulnerable Software and Affected Versions: POSCMS version 3.2.10

Description: The issue allows remote attackers to execute arbitrary PHP code. This is possible because an attacker can control the value of cache['setting']['ucssocfg'] in diymodulemembermodelsMember model.php and write this code into the "api/ucsso/config.php" file through the 'index' function in diymodulemembercontrollersadminSetting.php.

Recommendations: For POSCMS version 3.2.10, consider disabling the index function in diymodulemembercontrollersadminSetting.php as a temporary workaround until a patch is available. Restrict access to the diymodulemembermodelsMember model.php model to minimize the risk of exploitation. Avoid using the cache['setting']['ucssocfg'] variable in the affected code until the issue is resolved.