Vulnerability Details CVE-2018-19127
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.812
EPSS Ranking 99.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References