CVE-2019-14252

Name of the Vulnerable Software and Affected Versions Publisure version 2.1.2

Description An issue in the secure portal of Publisure allows an authenticated administrator to inject arbitrary PHP code using the adminCons.php form. The injected code is stored in the E:PUBLISUREwebservicewebpagesAdminDirTemplates folder, and it remains even if removed from the adminCons.php view, potentially allowing the rogue PHP file to be hidden.

Recommendations For Publisure version 2.1.2, consider restricting access to the adminCons.php form to prevent arbitrary PHP code injection until a patch is available. As a temporary workaround, monitor and regularly clean up the E:PUBLISUREwebservicewebpagesAdminDirTemplates folder to remove any potentially malicious PHP files.