CSRF Vulnerability in Creditwest Bank CMS Project (CWCMS) Allows Remote Code Injection

CSRF Vulnerability in Creditwest Bank CMS Project (CWCMS) Allows Remote Code Injection

CVE-2018-8972 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

Creditwest Bank CMS Project (aka CWCMS) through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters.

Learn more about our Cms Pen Testing.