Guiciwushuang

**Name of the Vulnerable Software and Affected Versions** YzmCMS version 3.7.1 **Description** The issue concerns an eval injection in a specific PHP file, allowing remote attackers to execute arbitrary code. This is achieved by sending PHP code in the POST data of a particular request to `index.php?m=member&c=member content&a=init`. **Recommendations** For YzmCMS version 3.7.1, consider restricting access to the `index.php?m=member&c=member content&a=init` endpoint until a patch is available. Avoid using the eval function in the `global.func.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.