CVE-2018-17126

Name of the Vulnerable Software and Affected Versions CScms version 4.1

Description The issue allows remote code execution. This can be demonstrated by using the input 1');eval($ POST[cmd]);# in the Web Name field to upload a file to pluginssysInstall.php.

Recommendations For CScms version 4.1, as a temporary workaround, consider restricting access to the Install.php file in the pluginssys directory until a patch is available. Avoid using user-inputted data in the eval() function to minimize the risk of exploitation.