CVE-2018-16975

Name of the Vulnerable Software and Affected Versions Elefant CMS versions prior to 2.0.7

Description The issue is related to a PHP Code Execution Vulnerability. It can be exploited through the /designer/add/stylesheet.php endpoint by using a .php extension in the New Stylesheet Name field in conjunction with <?php content. This is due to insufficient input validation in apps/designer/handlers/csspreview.php.

Recommendations For versions prior to 2.0.7, update to version 2.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the /designer/add/stylesheet.php endpoint or disabling the apps/designer/handlers/csspreview.php handler until a patch is available. Avoid using the .php extension in the New Stylesheet Name field to minimize the risk of exploitation.