CVE-2019-7580

Name of the Vulnerable Software and Affected Versions ThinkCMF version 5.0.190111

Description The issue allows remote attackers to execute arbitrary PHP code. This is due to the mishandling of a single quote character, which enables data/conf/route.php injection via the "alias" parameter in the "portal/admin category/addpost.html" endpoint.

Recommendations For ThinkCMF version 5.0.190111, consider disabling the addpost.html functionality in the portal/admin category module until a patch is available to prevent exploitation. Restrict access to the route.php file to minimize the risk of arbitrary PHP code execution. Avoid using the alias parameter in the affected endpoint until the issue is resolved.