Ab1Gale

**Name of the Vulnerable Software and Affected Versions** PHPCMS 2008 **Description** A code injection issue in the /type.php file allows attackers to execute arbitrary code by writing PHP code to a cache file with a controllable filename. The PHP code is sent via the `template` parameter and is written to a data/cache template/*.tpl.php file, which includes a "<?php function " substring. **Recommendations** For PHPCMS 2008, as a temporary workaround, consider restricting access to the /type.php file and the `template` parameter to minimize the risk of exploitation. Avoid using the `template` parameter in the affected /type.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.