Arbitrary PHP Code Execution in ThinkCMF 5.0.190111 via Alias Parameter Injection
CVE-2019-7580 · MEDIUM Severity
AV:N/AC:L/AU:S/C:P/I:P/A:P
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
Learn more about our Web Application Penetration Testing UK.