CVE-2013-10051

Name of the Vulnerable Software and Affected Versions InstantCMS versions prior to 1.7

Description A remote PHP code execution issue exists due to the unsafe use of the eval() function within the search view handler. User-supplied input via the look parameter is concatenated into a PHP expression and executed without proper sanitation. An attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

Recommendations Update InstantCMS to version 1.7 or later.