CVE-2018-9919

Name of the Vulnerable Software and Affected Versions Tp-shop versions 2.0.5 through 2.0.8

Description A web-accessible backdoor exists, allowing remote attackers to obtain sensitive information, attack intranet hosts, or possibly trigger remote command execution. This issue is related to the /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php endpoint, which writes data from the down url URL into the bddlj local file if the attacker knows the backdoor jmmy parameter.

Recommendations For Tp-shop versions 2.0.5 through 2.0.8, consider restricting access to the /vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php endpoint to minimize the risk of exploitation. Avoid using the jmmy parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.