CVE-2024-8523

Name of the Vulnerable Software and Affected Versions: lmxcms versions up to 1.4

Description: A critical issue was found in the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1, which is part of the SQL Command Execution Module. The manipulation of the argument data leads to code injection. This issue can be exploited remotely. The exploit has been disclosed to the public.

Recommendations: For lmxcms versions up to 1.4, as a temporary workaround, consider disabling the formatData function until a patch is available. Restrict access to the /admin.php?m=Acquisi&a=testcj&lid=1 endpoint to minimize the risk of exploitation. Avoid using the data argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.