CVE-2024-8880

Name of the Vulnerable Software and Affected Versions: playSMS versions 1.4.4 through 1.4.7

Description: A critical vulnerability has been found in playSMS, affecting an unknown function of the file /playsms/index.php?app=main&inc=core auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the username, email, or captcha arguments leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high, and the exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.

Recommendations: To resolve the issue, upgrade the affected component to version >=1.4.4 or use the latest playsms/tpl package. As a temporary workaround, consider restricting access to the vulnerable Template Handler component until a patch is available. Avoid using the username, email, or captcha arguments in the affected API endpoint until the issue is resolved.