Summary
w-CMS is prone to a remote code execution vulnerability.
Impact
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application.
Impact Level: Application
Solution
Ask the Vendor for an update.
Insight
Input passed to userFunctions.php is not properly sanitized.
Affected
w-CMS 2.0.1 is vulnerable
other versions may also be affected.
Detection
Send a HTTP POST request which execute the phpinfo() command and check the response if it was successfull.
References
Updated on 2017-03-28
Severity
Classification
-
CVSS Base Score: 8.5
AV:N/AC:L/Au:N/C:C/I:P/A:N
Related Vulnerabilities
- 'research_display.php' SQL Injection Vulnerability
- AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
- Apple Safari RSS Feed Information Disclosure Vulnerability
- AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
- AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities