CVE-2020-25557

Name of the Vulnerable Software and Affected Versions CMSuno version 1.6.2

Description The issue allows an attacker to inject malicious PHP code as a username while changing their username and password. After the attacker logs in to the application, their code will be executed, enabling an authenticated user to run commands on the server.

Recommendations For CMSuno version 1.6.2, as a temporary workaround, consider disabling the username change functionality until a patch is available. Restrict access to the login module to minimize the risk of exploitation. Avoid using the username variable in the affected login endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.