CVE-2018-19562

Name of the Vulnerable Software and Affected Versions PHPok version 4.9.015

Description An issue was discovered that allows remote attackers to execute arbitrary code. This is achieved through the "Login Background > Program Upgrade > Compressed Packet Upgrade" action, where a .php file is placed inside a ZIP archive and uploaded via the admin.php endpoint, specifically through the "c=update&f=unzip" parameters.

Recommendations For PHPok version 4.9.015, as a temporary workaround, consider disabling the "Compressed Packet Upgrade" feature until a patch is available. Restrict access to the admin.php endpoint to minimize the risk of exploitation. Avoid using the "c=update&f=unzip" parameters in the admin.php endpoint until the issue is resolved.