PT-2018-18751 · Creditwest Bank · Creditwest Bank Cms Project

Ghost

Published

2018-03-24

Updated

2018-04-24

CVE-2018-8972

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28

Description The issue allows remote attackers to inject arbitrary PHP code via CSRF in the site configuration update functionality. This can be demonstrated by a PHP shell that calls eval on request parameters.

Recommendations For Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28, consider disabling the site configuration update functionality as a temporary workaround until a patch is available. Restrict access to the eval function to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-8972

Affected Products

Creditwest Bank Cms Project

PT-2018-18751 · Creditwest Bank · Creditwest Bank Cms Project

CVE-2018-8972

Weakness Enumeration

Related Identifiers

Affected Products

References · 3