CVE-2019-17613

Name of the Vulnerable Software and Affected Versions qibosoft version 7

Description The issue allows remote code execution due to the use of eval calls in the do/jf.php file. An attacker can exploit the Point Introduction Management feature to supply PHP code for evaluation. Additionally, an attacker can perform a CSRF attack by accessing the admin/index.php?lfj=jfadmin&action=addjf endpoint, as demonstrated by a payload in the content parameter.

Recommendations For qibosoft version 7, consider disabling the Point Introduction Management feature and restrict access to the admin/index.php?lfj=jfadmin&action=addjf endpoint to minimize the risk of exploitation. Avoid using the content parameter in the affected endpoint until the issue is resolved.