Summary
w-CMS is prone to a remote code execution vulnerability.
Impact
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the user running the affected application.
Impact Level: Application
Solution
Ask the Vendor for an update.
Insight
Input passed to userFunctions.php is not properly sanitized.
Affected
w-CMS 2.0.1 is vulnerable
other versions may also be affected.
Detection
Send a HTTP POST request which execute the phpinfo() command and check the response if it was successfull.
References
Updated on 2017-03-28
Severity
Classification
-
CVSS Base Score: 8.5
AV:N/AC:L/Au:N/C:C/I:P/A:N
Related Vulnerabilities
- ArticleFR CMS Multiple Vulnerabilities - Jan15
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- ARRIS 2307 Unprotected Web Console
- ActualAnalyzer Lite 'ant' Cookie Parameter Remote Command Execution Vulnerability
- b2ePMS Multiple SQL Injection Vulnerabilities