Back to CVE Browser

CVE-2017-9080

HIGH

8.8

CVSS Severity Score

EPSS Score0.0560%

EPSS Percentile8.77th

PublishedMay 19, 2017

Last ModifiedMay 13, 2026

Vulnerability Description

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.

Affected Platforms (CPE)

📦

Playsms

Playsms

= 1.4

References & Advisories

🔗 http://touhidshaikh.com/blog/poc/playsms-v1-4-rce/

🔗 https://www.exploit-db.com/exploits/42003/

🔗 https://www.exploit-db.com/exploits/44599/

🔗 http://touhidshaikh.com/blog/poc/playsms-v1-4-rce/

🔗 https://www.exploit-db.com/exploits/42003/

🔗 https://www.exploit-db.com/exploits/44599/

Related Vulnerabilities

CVE-2017-91019.8

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTT...

CVE-2021-403739.8

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and t...

CVE-2020-86449.8

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

CVE-2018-183878.8

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.