CVE-2020-37137

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 9.03.50

Description The software contains a remote code execution issue in the add panel form() function. This allows attackers to execute arbitrary code through the use of an eval() function with unsanitized data received via POST requests. Exploitation occurs by sending crafted panel content parameters to the /panels.php endpoint. The /panels.php endpoint is the target of the attack. The panel content parameter is the vulnerable variable used to inject malicious code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Eval Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-95CWE-94

Related Identifiers

CVE-2020-37137

Affected Products

Php-Fusion

CVE-2020-37137

Weakness Enumeration

Related Identifiers

Affected Products

References · 6