Arbitrary PHP Code Execution in ThinkCMF 5.0.190111 via Alias Parameter Injection

Arbitrary PHP Code Execution in ThinkCMF 5.0.190111 via Alias Parameter Injection

CVE-2019-7580 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.

Learn more about our Web Application Penetration Testing UK.