CVE-2019-16192

Name of the Vulnerable Software and Affected Versions DocCms version 2016.5.17

Description The issue allows remote attackers to execute arbitrary PHP code through module management files. This can be achieved by uploading a .php file in a ZIP archive, exploiting the upload model() function in the /admini/controllers/system/managemodel.php file.

Recommendations For DocCms version 2016.5.17, consider disabling the upload model() function in the /admini/controllers/system/managemodel.php file as a temporary workaround to prevent exploitation. Restrict access to module management files to minimize the risk of arbitrary PHP code execution. Avoid using the module management feature until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.