CVE-2020-28062

Name of the Vulnerable Software and Affected Versions HisiPHP version 2.0.11

Description An Access Control issue exists, allowing a remote malicious user to execute arbitrary code via specially constructed packets. The vulnerability is related to the $files = Dir::getList($decompath. '/Upload/Plugins/) line, which processes directory listings.

Recommendations For HisiPHP version 2.0.11, consider restricting access to the /Upload/Plugins/ directory to minimize the risk of exploitation. Additionally, review the Dir::getList() function to ensure proper validation and sanitization of input parameters, such as $decompath, to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.