CVE-2019-9652

Name of the Vulnerable Software and Affected Versions SDCMS version 1.7

Description The issue concerns a CSRF that allows PHP code injection. This is achieved by sending a request with m=admin&c=theme&a=edit and providing a filename in the file parameter, along with file content in the t2 parameter.

Recommendations For SDCMS version 1.7, consider implementing CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests. Additionally, restrict the ability to inject PHP code by validating and sanitizing the file and t2 parameters. As a temporary workaround, consider disabling the theme edit functionality until a patch is available.