CVE-2018-19520

Published: Nov 25, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_code_execution.doc

x_refsource_MISC

https://github.com/WhiteRabbitc/WhiteRabbitc.github.io/blob/master/cve/SDCMS_1.6_code_execution.doc

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2018-19520

Description

Affected Products

References