Thinkcmf: >> Thinkcmf >> 5.0.190111 Security Vulnerabilities
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
CVSS Score
8.8
EPSS Score
0.581
Published
2019-02-07
app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-01-23