CVE-2023-31689

Name of the Vulnerable Software and Affected Versions Wcms version 0.3.2

Description The issue allows an attacker to send a crafted request from a vulnerable web application backend server via the "finish" parameter and the textAreaCode parameter in the "/wcms/wex/html.php" endpoint. This enables the attacker to write arbitrary strings into custom file names, upload any files, and write malicious code to execute scripts, potentially triggering command execution.

Recommendations For Wcms version 0.3.2, consider disabling the finish and textAreaCode parameters in the "/wcms/wex/html.php" endpoint until a patch is available. Restrict access to the "/wcms/wex/html.php" endpoint to minimize the risk of exploitation. Avoid using the textAreaCode parameter in the affected endpoint until the issue is resolved.