CVE-2018-19462

Name of the Vulnerable Software and Affected Versions EmpireCMS versions through 7.5

Description The issue allows remote attackers to execute arbitrary PHP code via SQL injection. This is achieved by using a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php.

Recommendations For EmpireCMS versions through 7.5, consider restricting access to the DoSql.php file in the admindb directory until a patch is available. As a temporary workaround, avoid using the SELECT INTO OUTFILE statement with .php filenames in the admin/admin.php file.