CVE-2018-19595

Name of the Vulnerable Software and Affected Versions PbootCMS version 1.3.1

Description The issue allows remote attackers to execute arbitrary code. This is achieved through the use of eval with mixed case in a specific URI, such as "index.php/list/5/?current={pboot:if(evAl($ GET[a]))}1{/pboot:if}&a=phpinfo();". The vulnerability is due to an incorrect protection mechanism in the parserIfLabel function within the ParserController.php file.

Recommendations For PbootCMS version 1.3.1, consider disabling the eval function or restricting access to the parserIfLabel function in the ParserController.php file as a temporary workaround until a patch is available. Avoid using the a variable in the affected API endpoint until the issue is resolved.