CVE-2018-10236

Name of the Vulnerable Software and Affected Versions: POSCMS version 3.2.18

Description: The issue allows remote attackers to execute arbitrary PHP code. This is possible because an attacker can control the value of name with no restrictions in the add function of the Syscontroller.php file, and this value is written to a file.

Recommendations: For POSCMS version 3.2.18, consider restricting access to the add function in the Syscontroller.php file until a patch is available. As a temporary workaround, restrict the ability to control the value of name to prevent arbitrary PHP code execution.